Scan free
MEDIUMCVE-2025-13362CVSS 4.3

CVE-2025-13362: CSRF in Norby AI WordPress Plugin

Platform

wordpress

Component

norby-ai

Fixed in

1.0.4

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2025-13362 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the Norby AI plugin for WordPress. This flaw allows unauthenticated attackers to manipulate the plugin's settings, potentially injecting malicious web scripts. The vulnerability impacts versions 1.0.0 through 1.0.3 and can be mitigated by upgrading to a patched version of the plugin.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

The primary impact of this CSRF vulnerability is the ability for an attacker to modify the Norby AI plugin's configuration without authentication. By crafting a malicious request and tricking a site administrator into clicking a link or visiting a compromised page, an attacker can alter plugin settings. This could involve injecting arbitrary JavaScript code, potentially leading to account takeover, data theft, or defacement of the WordPress site. The blast radius extends to any site utilizing the vulnerable Norby AI plugin, particularly those with administrative access that could be socially engineered into executing the malicious request.

Exploitation Context

CVE-2025-13362 was publicly disclosed on December 5, 2025. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog as of this date. Given the relatively straightforward nature of CSRF exploitation and the plugin's popularity, it is reasonable to expect that public exploits may emerge in the future.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.02% (3% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N4.3MEDIUMAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentnorby-ai
Vendorwordfence
Affected rangeFixed in
0 – 1.0.31.0.4

Weakness Classification (CWE)

CWE-352

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Unpatched — 170 days since disclosure

Mitigation and Workarounds

The recommended mitigation is to immediately upgrade the Norby AI plugin to a version that addresses this CSRF vulnerability. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by restricting access to the plugin's settings page. This can be achieved through role-based access control (RBAC) plugins or custom code that limits access to authorized administrators only. While not a complete solution, this can reduce the attack surface. After upgrading, verify the fix by attempting to access the plugin's settings page from a different browser session without being logged in as an administrator; the page should redirect or display an access denied error.

How to fix

No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-13362 — CSRF in Norby AI WordPress Plugin?

CVE-2025-13362 is a Cross-Site Request Forgery (CSRF) vulnerability in the Norby AI WordPress plugin versions 1.0.0–1.0.3, allowing attackers to modify plugin settings via forged requests.

Am I affected by CVE-2025-13362 in Norby AI WordPress Plugin?

You are affected if your WordPress site uses the Norby AI plugin in versions 1.0.0 through 1.0.3. Upgrade to a patched version to resolve the vulnerability.

How do I fix CVE-2025-13362 in Norby AI WordPress Plugin?

The primary fix is to upgrade the Norby AI plugin to a version that addresses the CSRF vulnerability. As a temporary workaround, restrict access to the plugin's settings page.

Is CVE-2025-13362 being actively exploited?

As of December 5, 2025, there are no confirmed reports of active exploitation, but the vulnerability is considered potentially exploitable.

Where can I find the official Norby AI advisory for CVE-2025-13362?

Refer to the Norby AI plugin's official website or WordPress plugin repository for the latest advisory and update information.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs