Plataforma
wordpress
Componente
wp-admin-microblog
Corregido en
3.1.2
CVE-2025-12173 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the WP Admin Microblog plugin for WordPress. This flaw allows unauthenticated attackers to potentially execute actions as an administrator, such as sending messages, by tricking them into clicking malicious links. The vulnerability impacts versions 0.0.0 through 3.1.1 of the plugin, and a fix is expected from the plugin developer.
The primary impact of this CSRF vulnerability is the potential for unauthorized actions to be performed on a WordPress site with administrator privileges. An attacker could craft a malicious link that, when clicked by an administrator, would trigger the sending of a message or other administrative actions without the administrator's knowledge or consent. This could be used to spread misinformation, compromise the site's reputation, or even gain further access to the system if the messages contain malicious content or links. The blast radius is limited to the scope of actions available through the WP Admin Microblog plugin.
CVE-2025-12173 was publicly disclosed on 2025-11-18. There are currently no known public proof-of-concept exploits available. The vulnerability's CVSS score of 4.3 (MEDIUM) indicates a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog.
Websites utilizing the WP Admin Microblog plugin, particularly those with administrator accounts that frequently click on links from untrusted sources, are at risk. Shared hosting environments where multiple WordPress sites share the same server resources are also potentially vulnerable, as a compromise of one site could lead to attacks against others.
• wordpress / composer / npm:
grep -r 'wp-admin-microblog' /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list | grep "WP Admin Microblog"• wordpress / composer / npm:
curl -I https://example.com/wp-admin-microblog/ | grep -i 'referer'disclosure
Estado del Exploit
EPSS
0.03% (8% percentil)
CISA SSVC
Vector CVSS
The immediate mitigation for CVE-2025-12173 is to upgrade the WP Admin Microblog plugin to a version that addresses the missing or incorrect nonce validation. If upgrading is not immediately possible due to compatibility issues or testing requirements, consider temporarily restricting administrator access to the 'wp-admin-microblog' page. While not a complete solution, this can reduce the attack surface. Monitor WordPress access logs for suspicious activity, particularly requests originating from unfamiliar sources targeting the plugin's administrative endpoints. After upgrading, confirm the fix by attempting to trigger a message send action via a crafted CSRF request and verifying that it is blocked.
No se conoce ningún parche disponible. Por favor, revise los detalles de la vulnerabilidad en profundidad y emplee mitigaciones basadas en la tolerancia al riesgo de su organización. Puede ser mejor desinstalar el software afectado y buscar un reemplazo.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-12173 is a Cross-Site Request Forgery (CSRF) vulnerability in the WP Admin Microblog WordPress plugin, allowing attackers to potentially perform actions as an administrator.
You are affected if you are using WP Admin Microblog versions 0.0.0 through 3.1.1. Upgrade to a patched version as soon as possible.
Upgrade the WP Admin Microblog plugin to a version that addresses the nonce validation issue. If upgrading is not immediately possible, restrict administrator access to the plugin's administrative page.
As of now, there are no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.
Check the WP Admin Microblog plugin's official website or WordPress plugin repository for updates and advisories related to CVE-2025-12173.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.