Plataforma
wordpress
Componente
contentstudio
Corregido en
1.3.8
CVE-2025-13144 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the ContentStudio WordPress plugin. This flaw allows unauthenticated attackers to potentially modify plugin settings if they can trick a site administrator into performing an action, such as clicking a malicious link. The vulnerability impacts versions 1.0.0 through 1.3.7, and a patch is available in version 1.4.0.
Successful exploitation of this CSRF vulnerability could allow an attacker to alter the ContentStudio plugin's configuration without authentication. This could lead to unintended changes in plugin behavior, potentially impacting website functionality or exposing sensitive data. An attacker could, for example, modify API keys, change content scheduling parameters, or disable security features. The blast radius is limited to the scope of the ContentStudio plugin's settings, but unauthorized modifications could still disrupt website operations and compromise data integrity.
This vulnerability was publicly disclosed on 2025-12-05. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Given the relatively straightforward nature of CSRF exploitation and the plugin's popularity, it is plausible that attackers may develop and deploy PoCs or exploit kits in the future.
Websites utilizing the ContentStudio plugin, particularly those with WordPress administrator accounts that are not adequately secured with strong passwords and multi-factor authentication, are at risk. Shared hosting environments where multiple websites share the same server resources could also be affected if one site is compromised and used to launch CSRF attacks against others.
• wordpress / composer / npm:
grep -r 'add_cstu_settings' /var/www/html/wp-content/plugins/contentstudio/• wordpress / composer / npm:
wp plugin list --status=active | grep contentstudio• wordpress / composer / npm:
wp plugin update contentstudio --alldisclosure
Estado del Exploit
EPSS
0.02% (3% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2025-13144 is to upgrade the ContentStudio plugin to version 1.4.0 or later, which contains the necessary nonce validation fixes. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block suspicious requests targeting the addcstusettings function. Carefully review any unusual plugin settings changes and monitor plugin activity for unauthorized modifications. While not a direct fix, enforcing strong password policies and multi-factor authentication for WordPress administrator accounts can reduce the risk of successful CSRF attacks.
Actualizar a la versión 1.4.0, o una versión parcheada más reciente
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-13144 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the ContentStudio WordPress plugin, allowing attackers to modify plugin settings via forged requests.
You are affected if you are using ContentStudio WordPress plugin versions 1.0.0 through 1.3.7. Upgrade to version 1.4.0 or later to mitigate the vulnerability.
Upgrade the ContentStudio plugin to version 1.4.0 or later. Consider implementing WAF rules as a temporary workaround if upgrading is not immediately possible.
There is no confirmed active exploitation of CVE-2025-13144 at this time, but the vulnerability's nature makes it a potential target for future attacks.
Refer to the ContentStudio plugin's official website or WordPress plugin repository for the latest advisory and update information regarding CVE-2025-13144.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.