Plateforme
wordpress
Composant
quick-interest-slider
Corrigé dans
3.1.6
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Quick Interest Slider WordPress plugin. This flaw allows an attacker to trick authenticated users into performing actions they did not intend to, potentially leading to unauthorized modifications or deletions of data. The vulnerability impacts versions from 0.0.0 up to and including 3.1.5. A patch has been released in version 3.1.6.
Successful exploitation of this CSRF vulnerability could allow an attacker to modify settings, add or delete content, or perform other administrative actions within the Quick Interest Slider plugin, all under the context of a legitimate user's account. This could lead to defacement of the website, data breaches, or even complete compromise of the WordPress installation if the attacker can leverage the plugin's functionality to gain broader access. The impact is amplified if the plugin is used in conjunction with other sensitive functionalities on the website.
This vulnerability was publicly disclosed on 2025-12-16. No public proof-of-concept (POC) code has been identified at the time of writing. The EPSS score is currently pending evaluation, but given the public disclosure and relatively straightforward nature of CSRF attacks, a medium probability of exploitation is likely. No known active campaigns targeting this vulnerability have been reported.
Websites utilizing the Quick Interest Slider plugin, particularly those with user accounts and administrative interfaces, are at risk. Shared hosting environments where plugin updates are managed centrally are also vulnerable if they haven't applied the update. Sites with legacy WordPress configurations or those lacking robust security practices are at higher risk.
• wordpress / composer / npm:
grep -r 'quick-interest-slider/includes/quick-interest-slider.php' /var/www/html/*• wordpress / composer / npm:
wp plugin list | grep 'Quick Interest Slider'• wordpress / composer / npm:
wp plugin update quick-interest-sliderdisclosure
Statut de l'Exploit
EPSS
0.02% (percentile 5%)
CISA SSVC
Vecteur CVSS
The primary mitigation is to upgrade the Quick Interest Slider plugin to version 3.1.6 or later, which contains the fix for this vulnerability. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider implementing a Content Security Policy (CSP) to restrict the sources of scripts that can be executed on the website. Additionally, implement strict input validation and output encoding to prevent malicious data from being injected into the plugin's functionality. After upgrading, verify the fix by attempting to trigger a CSRF attack using a tool like Burp Suite and confirming that the request is blocked or fails.
Mettre à jour vers la version 3.1.6, ou une version corrigée plus récente
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-64237 is a Cross-Site Request Forgery vulnerability affecting the Quick Interest Slider WordPress plugin, allowing attackers to perform unauthorized actions.
You are affected if you are using Quick Interest Slider versions 0.0.0 through 3.1.5. Upgrade to 3.1.6 or later to mitigate the risk.
Upgrade the Quick Interest Slider plugin to version 3.1.6 or later. Consider implementing CSP and input validation as additional security measures.
No active exploitation campaigns have been confirmed, but the vulnerability is publicly disclosed and could be targeted.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.