Plateforme
wordpress
Composant
fluentsnippets
Corrigé dans
10.50.1
A Cross-Site Request Forgery (CSRF) vulnerability exists in the FluentSnippets easy-code-manager WordPress plugin. This flaw allows attackers to perform unauthorized actions on a user's account without their knowledge. Versions of FluentSnippets from 0.0.0 through 10.50 are affected. The vulnerability has been resolved in version 10.50.1.
The CSRF vulnerability in FluentSnippets allows an attacker to craft malicious requests that appear to originate from a legitimate user. Successful exploitation could lead to unauthorized modification of code snippets, changes to plugin settings, or even the deletion of critical data. Because FluentSnippets is used to manage code, an attacker could potentially inject malicious code into the snippets, leading to further compromise of the WordPress site. The impact is particularly severe given the plugin's widespread use for code management within WordPress environments.
This vulnerability was publicly disclosed on 2025-07-16. While no public proof-of-concept (PoC) has been released at the time of writing, the CRITICAL severity and the ease of CSRF exploitation suggest a high probability of exploitation. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting FluentSnippets.
WordPress websites utilizing the FluentSnippets plugin, particularly those running older versions (0.0.0–10.50), are at significant risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r "fluent-snippets/includes/class-fluent-snippets-admin.php" * | grep -i 'wp_safe_redirect'• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin.php?page=fluent-snippets | grep -i 'referer'disclosure
Statut de l'Exploit
EPSS
0.02% (percentile 5%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-54010 is to immediately upgrade FluentSnippets to version 10.50.1 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with CSRF protection rules to filter out malicious requests. Additionally, ensure that users are educated about the risks of clicking on suspicious links or visiting untrusted websites. Review FluentSnippets settings for any overly permissive configurations that could exacerbate the vulnerability.
Mettez à jour le plugin FluentSnippets vers la dernière version disponible pour atténuer la vulnérabilité Cross-Site Request Forgery (CSRF). Vérifiez la page du plugin sur WordPress.org pour obtenir la version la plus récente et les instructions de mise à jour. Implémentez des mesures de sécurité supplémentaires, telles que la validation des entrées et la sanitisation des données, pour renforcer la sécurité de votre site web.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-54010 is a critical Cross-Site Request Forgery (CSRF) vulnerability affecting FluentSnippets WordPress plugin versions 0.0.0 through 10.50, allowing attackers to perform unauthorized actions.
If you are using FluentSnippets WordPress plugin versions 0.0.0 to 10.50, you are affected by this vulnerability. Upgrade immediately.
Upgrade FluentSnippets to version 10.50.1 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation.
While no public exploits are currently known, the CRITICAL severity suggests a high probability of exploitation. Monitor for any signs of active campaigns.
Refer to the official FluentSnippets website or WordPress plugin repository for the latest security advisory and updates.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.