Plateforme
wordpress
Composant
reuters-direct
Corrigé dans
3.0.1
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Reuters Direct plugin for WordPress. This flaw, affecting versions from 0.0.0 through 3.0.0, stems from inadequate nonce validation on the 'class-reuters-direct-settings.php' page. Successful exploitation allows an attacker to manipulate plugin settings by tricking a site administrator into performing actions via a crafted link.
The primary impact of this CSRF vulnerability is the potential for unauthorized modification of the Reuters Direct plugin's settings. An attacker could leverage this to alter configurations, potentially impacting the plugin's functionality or introducing malicious behavior. While the plugin itself may not directly expose sensitive data, changes to its settings could indirectly affect the broader WordPress site's security posture. The attack requires the administrator to click a malicious link, making social engineering a key component of exploitation. This vulnerability is similar to other CSRF flaws where an attacker can perform actions on behalf of an authenticated user without their knowledge.
This vulnerability was publicly disclosed on 2025-11-27. There are currently no known public proof-of-concept exploits available. The EPSS score is pending evaluation. It is not currently listed on the CISA KEV catalog.
WordPress sites utilizing the Reuters Direct plugin, particularly those with site administrators who are susceptible to social engineering attacks, are at risk. Shared hosting environments where multiple WordPress sites share the same server resources could also be affected, as a compromise on one site could potentially impact others.
• wordpress / composer / npm:
grep -r 'class-reuters-direct-settings.php' /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list | grep reuters-direct• wordpress / composer / npm:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=reuters_direct_settings_save&nonce=malicious_nonce | head -n 1disclosure
Statut de l'Exploit
EPSS
0.02% (percentile 4%)
CISA SSVC
Vecteur CVSS
The recommended mitigation is to immediately upgrade the Reuters Direct plugin to a version that addresses this vulnerability. The vendor has not yet released a fixed version, so temporary workarounds include restricting access to the 'class-reuters-direct-settings.php' page using WordPress access control plugins. Implement a Web Application Firewall (WAF) with CSRF protection rules to filter out malicious requests. Regularly review WordPress user permissions to ensure only authorized personnel have access to plugin settings.
Aucun correctif connu n'est disponible. Veuillez examiner en profondeur les détails de la vulnérabilité et mettre en œuvre des mesures d'atténuation en fonction de la tolérance au risque de votre organisation. Il peut être préférable de désinstaller le logiciel affecté et de trouver un remplacement.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-12578 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Reuters Direct WordPress plugin versions 0.0.0–3.0.0, allowing attackers to modify plugin settings via forged requests.
If you are using the Reuters Direct WordPress plugin in versions 0.0.0 through 3.0.0, you are potentially affected by this vulnerability. Upgrade immediately.
Upgrade to a patched version of the Reuters Direct plugin as soon as it becomes available. Until then, restrict access to the settings page and consider using a WAF.
As of now, there are no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.
Refer to the plugin developer's website or WordPress plugin repository for updates and official advisories regarding CVE-2025-12578.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.