Peer Publish <= 1.0 - Cross-Site Request Forgery
Plateforme
wordpress
Composant
peer-publish
Corrigé dans
1.0.1
CVE-2025-12587 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the Peer Publish plugin for WordPress. This flaw allows unauthenticated attackers to manipulate website configurations, such as adding, modifying, or deleting websites, if they can trick an administrator into performing actions via a forged request. The vulnerability impacts versions 1.0.0 through 1.0, and a fix is pending.
Détecte cette CVE dans ton projet
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Impact et Scénarios d'Attaquetraduction en cours…
The core impact of this CSRF vulnerability lies in the potential for unauthorized modification of website configurations. An attacker could leverage this to add malicious websites, alter existing settings to redirect traffic or inject malicious code, or even delete legitimate websites. Successful exploitation could lead to a complete compromise of the WordPress site's functionality and data integrity. The attack vector relies on social engineering – tricking an administrator into clicking a malicious link or visiting a crafted page. While requiring user interaction, the ease of crafting such attacks makes this a significant risk.
Contexte d'Exploitationtraduction en cours…
This vulnerability was publicly disclosed on 2025-11-25. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Given the relatively straightforward nature of CSRF exploitation and the plugin's functionality, it is reasonable to expect that attackers may begin targeting vulnerable installations.
Qui Est à Risquetraduction en cours…
WordPress websites utilizing the Peer Publish plugin, particularly those with shared hosting environments or where administrator accounts are not adequately secured, are at heightened risk. Sites with less stringent URL filtering and those where administrators are prone to clicking on suspicious links are also more vulnerable.
Étapes de Détectiontraduction en cours…
• wordpress / composer / npm:
grep -r 'Peer Publish' /var/www/html/wp-content/plugins/
wp plugin list --status=all | grep 'Peer Publish'• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=peer_publish_add_websiteChronologie de l'Attaque
- Disclosure
disclosure
Renseignement sur les Menaces
Statut de l'Exploit
EPSS
0.02% (percentile 3%)
CISA SSVC
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Faible — aucune condition spéciale requise. Exploitable de manière fiable.
- Privileges Required
- Aucun — sans authentification. Aucune identifiant requis pour exploiter.
- User Interaction
- Requise — la victime doit ouvrir un fichier, cliquer sur un lien ou visiter une page.
- Scope
- Inchangé — impact limité au composant vulnérable.
- Confidentiality
- Aucun — aucun impact sur la confidentialité.
- Integrity
- Faible — l'attaquant peut modifier certaines données avec un impact limité.
- Availability
- Aucun — aucun impact sur la disponibilité.
Logiciel Affecté
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
- Modifiée
- EPSS mis à jour
Mitigation et Contournementstraduction en cours…
The primary mitigation is to upgrade to a patched version of the Peer Publish plugin as soon as it becomes available. Until then, consider implementing temporary workarounds. Restrict administrator access to only essential tasks and implement strict URL filtering to prevent access to potentially malicious sites. Employ a Web Application Firewall (WAF) with CSRF protection rules to block forged requests. Regularly review website configurations for any unauthorized changes. After upgrading, confirm the fix by attempting a CSRF attack on the website management pages and verifying that the request is blocked.
Comment corriger
Aucun correctif connu n'est disponible. Veuillez examiner en profondeur les détails de la vulnérabilité et mettre en œuvre des mesures d'atténuation en fonction de la tolérance au risque de votre organisation. Il peut être préférable de désinstaller le logiciel affecté et de trouver un remplacement.
Newsletter Sécurité CVE
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
Questions fréquentestraduction en cours…
What is CVE-2025-12587 — CSRF in Peer Publish WordPress Plugin?
CVE-2025-12587 is a Cross-Site Request Forgery (CSRF) vulnerability in the Peer Publish WordPress plugin, allowing attackers to manipulate website configurations via forged requests.
Am I affected by CVE-2025-12587 in Peer Publish WordPress Plugin?
You are affected if you are using Peer Publish WordPress plugin versions 1.0.0–1.0 and have not upgraded to a patched version.
How do I fix CVE-2025-12587 in Peer Publish WordPress Plugin?
Upgrade to a patched version of the Peer Publish plugin as soon as it becomes available. Implement temporary workarounds like URL filtering and WAF rules until the upgrade.
Is CVE-2025-12587 being actively exploited?
No active exploitation has been confirmed at this time, but the vulnerability's nature suggests potential for future attacks.
Where can I find the official Peer Publish advisory for CVE-2025-12587?
Check the Peer Publish plugin's official website or WordPress plugin repository for updates and security advisories related to CVE-2025-12587.
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.