Plataforma
wordpress
Componente
rencontre
Corregido en
3.13.8
CVE-2025-67534 identifies a Cross-Site Request Forgery (CSRF) vulnerability within the Rencontre WordPress plugin. This flaw can be exploited to trigger Stored XSS attacks, potentially leading to unauthorized code execution and data compromise. The vulnerability affects versions from 0.0.0 up to and including 3.13.7, with a fix available in version 3.13.8.
The CSRF vulnerability in Rencontre allows an attacker to craft malicious requests that appear to originate from a legitimate user. Successfully exploiting this vulnerability can lead to Stored XSS, where malicious JavaScript code is stored on the server and executed when other users visit affected pages. This can result in session hijacking, defacement of the website, redirection to malicious sites, or the theft of sensitive user data. The impact is amplified if the plugin is used in environments with privileged user roles, as an attacker could potentially gain administrative access to the WordPress site.
CVE-2025-67534 was publicly disclosed on 2025-12-09. There is currently no indication of active exploitation campaigns targeting this vulnerability. The CVSS score of 7.1 (HIGH) reflects the potential for significant impact if exploited. No KEV listing at the time of writing.
WordPress websites utilizing the Rencontre plugin, particularly those with user roles that have administrative privileges, are at risk. Shared hosting environments where plugin updates are managed centrally are also at increased risk, as they may be slower to apply security patches.
• wordpress / composer / npm:
grep -r 'rencontre/plugin.php' /var/www/html/
wp plugin list | grep rencontre• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/rencontre/plugin.php | grep -i '3.13.7'disclosure
Estado del Exploit
EPSS
0.02% (6% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2025-67534 is to immediately upgrade the Rencontre WordPress plugin to version 3.13.8 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests with suspicious CSRF tokens. Additionally, ensure that all user input is properly validated and sanitized to prevent the injection of malicious code. After upgrading, verify the fix by attempting to submit a request with a crafted CSRF token to a sensitive plugin endpoint.
Actualizar a la versión 3.13.8, o una versión parcheada más reciente
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-67534 is a Cross-Site Request Forgery (CSRF) vulnerability in the Rencontre WordPress plugin allowing Stored XSS. It affects versions 0.0.0–3.13.7.
You are affected if your WordPress site uses the Rencontre plugin and is running version 3.13.7 or earlier. Upgrade to 3.13.8 to resolve the issue.
Upgrade the Rencontre WordPress plugin to version 3.13.8 or later. Consider a WAF rule as a temporary workaround if immediate upgrade is not possible.
There is currently no evidence of active exploitation, but the vulnerability's potential impact warrants immediate attention and remediation.
Refer to the official Rencontre plugin documentation and WordPress security announcements for the latest advisory and updates.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.