Plataforma
wordpress
Componente
ark-relatedpost
Corregido en
2.20
CVE-2025-13684 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the ARK Related Posts plugin for WordPress. This flaw allows unauthenticated attackers to manipulate the plugin's configuration settings if they can trick a site administrator into performing a malicious action. The vulnerability impacts versions 0.0.0 through 2.19, and a fix is available in version 2.20.
The primary impact of this CSRF vulnerability is the potential for unauthorized modification of the ARK Related Posts plugin's settings. An attacker could leverage this to alter how related posts are displayed, potentially injecting malicious content or redirecting users. While the plugin itself might not contain sensitive data, changes to its configuration could impact the overall site experience and potentially be used as a stepping stone for further attacks. Successful exploitation requires the attacker to convince a site administrator to click a malicious link, making social engineering a key component of the attack. This vulnerability is similar in nature to other CSRF flaws, where an attacker leverages a user's authenticated session to perform actions on their behalf.
This vulnerability was publicly disclosed on 2025-12-05. There is currently no indication of active exploitation campaigns targeting this specific flaw. No Proof-of-Concept (PoC) code has been publicly released. The vulnerability has not been added to the CISA KEV catalog at the time of this writing.
WordPress sites utilizing the ARK Related Posts plugin, particularly those with site administrators who are susceptible to social engineering attacks, are at risk. Shared hosting environments where plugin updates are managed centrally may also be vulnerable if the plugin is not promptly updated across all sites.
• wordpress / composer / npm:
grep -r 'ark_rp_options_page' /var/www/html/wp-content/plugins/ark-related-posts/• wordpress / composer / npm:
wp plugin list | grep 'ark-related-posts'• wordpress / composer / npm:
wp plugin update ark-related-posts --version=2.20disclosure
Estado del Exploit
EPSS
0.02% (3% percentil)
CISA SSVC
Vector CVSS
The recommended mitigation for CVE-2025-13684 is to immediately upgrade the ARK Related Posts plugin to version 2.20 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests to the arkrpoptions_page endpoint that lack proper nonce validation. Additionally, educate site administrators about the risks of clicking on suspicious links and verify the legitimacy of any requests before confirming them. Regularly review plugin configurations for any unauthorized changes.
Actualizar a la versión 2.20, o una versión parcheada más reciente
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-13684 is a Cross-Site Request Forgery (CSRF) vulnerability affecting versions 0.0.0–2.19 of the ARK Related Posts WordPress plugin, allowing attackers to modify plugin settings.
You are affected if your WordPress site uses the ARK Related Posts plugin in versions 0.0.0 through 2.19. Upgrade to 2.20 or later to resolve the issue.
Upgrade the ARK Related Posts plugin to version 2.20 or later. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
There is currently no evidence of active exploitation campaigns targeting CVE-2025-13684.
Refer to the ARK Related Posts plugin's official website or WordPress plugin repository for the latest advisory and update information.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.