Plateforme
wordpress
Composant
ark-relatedpost
Corrigé dans
2.20
CVE-2025-13684 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the ARK Related Posts plugin for WordPress. This flaw allows unauthenticated attackers to manipulate the plugin's configuration settings if they can trick a site administrator into performing a malicious action. The vulnerability impacts versions 0.0.0 through 2.19, and a fix is available in version 2.20.
The primary impact of this CSRF vulnerability is the potential for unauthorized modification of the ARK Related Posts plugin's settings. An attacker could leverage this to alter how related posts are displayed, potentially injecting malicious content or redirecting users. While the plugin itself might not contain sensitive data, changes to its configuration could impact the overall site experience and potentially be used as a stepping stone for further attacks. Successful exploitation requires the attacker to convince a site administrator to click a malicious link, making social engineering a key component of the attack. This vulnerability is similar in nature to other CSRF flaws, where an attacker leverages a user's authenticated session to perform actions on their behalf.
This vulnerability was publicly disclosed on 2025-12-05. There is currently no indication of active exploitation campaigns targeting this specific flaw. No Proof-of-Concept (PoC) code has been publicly released. The vulnerability has not been added to the CISA KEV catalog at the time of this writing.
WordPress sites utilizing the ARK Related Posts plugin, particularly those with site administrators who are susceptible to social engineering attacks, are at risk. Shared hosting environments where plugin updates are managed centrally may also be vulnerable if the plugin is not promptly updated across all sites.
• wordpress / composer / npm:
grep -r 'ark_rp_options_page' /var/www/html/wp-content/plugins/ark-related-posts/• wordpress / composer / npm:
wp plugin list | grep 'ark-related-posts'• wordpress / composer / npm:
wp plugin update ark-related-posts --version=2.20disclosure
Statut de l'Exploit
EPSS
0.02% (percentile 3%)
CISA SSVC
Vecteur CVSS
The recommended mitigation for CVE-2025-13684 is to immediately upgrade the ARK Related Posts plugin to version 2.20 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests to the arkrpoptions_page endpoint that lack proper nonce validation. Additionally, educate site administrators about the risks of clicking on suspicious links and verify the legitimacy of any requests before confirming them. Regularly review plugin configurations for any unauthorized changes.
Mettre à jour vers la version 2.20, ou une version corrigée plus récente
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-13684 is a Cross-Site Request Forgery (CSRF) vulnerability affecting versions 0.0.0–2.19 of the ARK Related Posts WordPress plugin, allowing attackers to modify plugin settings.
You are affected if your WordPress site uses the ARK Related Posts plugin in versions 0.0.0 through 2.19. Upgrade to 2.20 or later to resolve the issue.
Upgrade the ARK Related Posts plugin to version 2.20 or later. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
There is currently no evidence of active exploitation campaigns targeting CVE-2025-13684.
Refer to the ARK Related Posts plugin's official website or WordPress plugin repository for the latest advisory and update information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.