Plataforma
wordpress
Componente
peer-publish
Corregido en
1.0.1
CVE-2025-12587 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the Peer Publish plugin for WordPress. This flaw allows unauthenticated attackers to manipulate website configurations, such as adding, modifying, or deleting websites, if they can trick an administrator into performing actions via a forged request. The vulnerability impacts versions 1.0.0 through 1.0, and a fix is pending.
The core impact of this CSRF vulnerability lies in the potential for unauthorized modification of website configurations. An attacker could leverage this to add malicious websites, alter existing settings to redirect traffic or inject malicious code, or even delete legitimate websites. Successful exploitation could lead to a complete compromise of the WordPress site's functionality and data integrity. The attack vector relies on social engineering – tricking an administrator into clicking a malicious link or visiting a crafted page. While requiring user interaction, the ease of crafting such attacks makes this a significant risk.
This vulnerability was publicly disclosed on 2025-11-25. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Given the relatively straightforward nature of CSRF exploitation and the plugin's functionality, it is reasonable to expect that attackers may begin targeting vulnerable installations.
WordPress websites utilizing the Peer Publish plugin, particularly those with shared hosting environments or where administrator accounts are not adequately secured, are at heightened risk. Sites with less stringent URL filtering and those where administrators are prone to clicking on suspicious links are also more vulnerable.
• wordpress / composer / npm:
grep -r 'Peer Publish' /var/www/html/wp-content/plugins/
wp plugin list --status=all | grep 'Peer Publish'• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=peer_publish_add_websitedisclosure
Estado del Exploit
EPSS
0.02% (3% percentil)
CISA SSVC
Vector CVSS
The primary mitigation is to upgrade to a patched version of the Peer Publish plugin as soon as it becomes available. Until then, consider implementing temporary workarounds. Restrict administrator access to only essential tasks and implement strict URL filtering to prevent access to potentially malicious sites. Employ a Web Application Firewall (WAF) with CSRF protection rules to block forged requests. Regularly review website configurations for any unauthorized changes. After upgrading, confirm the fix by attempting a CSRF attack on the website management pages and verifying that the request is blocked.
No se conoce ningún parche disponible. Por favor, revise los detalles de la vulnerabilidad en profundidad y emplee mitigaciones basadas en la tolerancia al riesgo de su organización. Puede ser mejor desinstalar el software afectado y buscar un reemplazo.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-12587 is a Cross-Site Request Forgery (CSRF) vulnerability in the Peer Publish WordPress plugin, allowing attackers to manipulate website configurations via forged requests.
You are affected if you are using Peer Publish WordPress plugin versions 1.0.0–1.0 and have not upgraded to a patched version.
Upgrade to a patched version of the Peer Publish plugin as soon as it becomes available. Implement temporary workarounds like URL filtering and WAF rules until the upgrade.
No active exploitation has been confirmed at this time, but the vulnerability's nature suggests potential for future attacks.
Check the Peer Publish plugin's official website or WordPress plugin repository for updates and security advisories related to CVE-2025-12587.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.