Plataforma
wordpress
Componente
auto-prune-posts
Corregido en
3.0.1
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Auto Prune Posts WordPress plugin. This flaw allows an attacker to trick authenticated users into performing actions they didn't intend, potentially leading to data deletion or configuration changes. The vulnerability affects versions from 0.0.0 through 3.0.0, and a fix is available in version 3.1.0.
The CSRF vulnerability in Auto Prune Posts allows an attacker to execute actions on behalf of a logged-in user without their knowledge. This could involve deleting posts, modifying pruning schedules, or altering other plugin settings. The impact is amplified if the affected WordPress site has administrative privileges assigned to the user being targeted. A successful attack could lead to data loss, disruption of service, and potential compromise of the entire WordPress installation. While no specific real-world exploitation has been publicly reported, CSRF vulnerabilities are frequently exploited in WordPress environments.
This vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, suggesting a low to medium probability of active exploitation. The vulnerability was disclosed on 2025-11-13. The CVSS score of 6.5 (MEDIUM) reflects the potential impact and relative ease of exploitation.
WordPress websites using the Auto Prune Posts plugin in versions 0.0.0 through 3.0.0 are at risk. This includes sites with administrative users who frequently interact with the plugin, as they are the most likely targets for CSRF attacks. Shared hosting environments where multiple websites share the same server resources are also at increased risk.
• wordpress / composer / npm:
grep -r 'wp_nonce_field' /var/www/html/wp-content/plugins/auto-prune-posts/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/auto-prune-posts/ | grep -i 'referer'disclosure
Estado del Exploit
EPSS
0.03% (7% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2025-64262 is to upgrade the Auto Prune Posts plugin to version 3.1.0 or later. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) with CSRF protection rules. Additionally, ensure that all users are educated about the risks of clicking on suspicious links or visiting untrusted websites. Implement strict content security policies (CSP) to limit the sources from which scripts can be executed. After upgrading, verify the plugin's functionality and confirm that the CSRF protection is active by attempting to trigger a pruning action with a manipulated request.
Actualizar a la versión 3.1.0 o una versión parcheada más reciente
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-64262 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Auto Prune Posts WordPress plugin, allowing attackers to perform unauthorized actions.
You are affected if you are using Auto Prune Posts versions 0.0.0 through 3.0.0. Upgrade to 3.1.0 or later to mitigate the risk.
Upgrade the Auto Prune Posts plugin to version 3.1.0 or later. Consider implementing WAF rules and educating users about CSRF risks.
While no active exploitation has been publicly confirmed, CSRF vulnerabilities are frequently targeted, so vigilance is advised.
Refer to the plugin developer's website or the WordPress plugin repository for the latest advisory and update information.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.