Plateforme
wordpress
Composant
rafflepress
Corrigé dans
1.12.21
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Giveaways and Contests by RafflePress plugin, impacting versions from 0.0.0 through 1.12.20. This flaw allows an attacker to perform unauthorized actions on a user's account without their knowledge. The vulnerability has been resolved in version 1.12.21, and users are strongly advised to upgrade immediately.
This CSRF vulnerability allows an attacker to trick a logged-in user into unknowingly performing actions they did not intend. For example, an attacker could craft a malicious link that, when clicked by an administrator, could modify contest settings, delete entries, or even compromise user data associated with the RafflePress plugin. The potential impact is significant, as it could lead to data manipulation, unauthorized contest modifications, and ultimately, a loss of trust in the platform. Successful exploitation requires the user to be authenticated and interact with the malicious link, typically through a phishing campaign or by embedding the malicious code on a website the user visits.
This vulnerability was publicly disclosed on 2025-11-21. There are currently no known public proof-of-concept exploits available. The vulnerability's CVSS score of 4.3 (MEDIUM) indicates a moderate risk. It is not currently listed on the CISA KEV catalog. Active campaigns targeting this vulnerability have not been reported at the time of writing.
Websites utilizing the Giveaways and Contests by RafflePress plugin, particularly those with administrator accounts that are frequently targeted by phishing campaigns, are at risk. Shared hosting environments where plugin updates are managed centrally are also vulnerable if they haven't applied the update.
• wordpress / composer / npm:
grep -r 'rafflepress_entry_create' /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list --status=all | grep RafflePress• wordpress / composer / npm:
wp plugin update RafflePress• generic web: Check for unusual contest modifications or unexpected user actions within the RafflePress plugin. Monitor WordPress error logs for CSRF-related errors.
disclosure
Statut de l'Exploit
EPSS
0.03% (percentile 7%)
CISA SSVC
Vecteur CVSS
The primary mitigation is to upgrade the Giveaways and Contests by RafflePress plugin to version 1.12.21 or later. If immediate upgrade is not possible due to compatibility issues or testing requirements, consider implementing stricter input validation and output encoding within the plugin's code to reduce the attack surface. While a Web Application Firewall (WAF) might offer some protection, it's unlikely to be effective against CSRF attacks without specific rules tailored to RafflePress. Implement a CSRF token validation mechanism within RafflePress itself as a long-term solution. After upgrading, confirm the fix by attempting to trigger a contest action via a crafted URL; the action should be rejected if the CSRF protection is functioning correctly.
Mettre à jour vers la version 1.12.21, ou une version corrigée plus récente
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-66064 is a Cross-Site Request Forgery (CSRF) vulnerability affecting versions 0.0.0–1.12.20 of the Giveaways and Contests by RafflePress WordPress plugin, allowing attackers to perform unauthorized actions.
You are affected if you are using Giveaways and Contests by RafflePress versions 0.0.0 through 1.12.20. Upgrade to 1.12.21 or later to mitigate the risk.
Upgrade the Giveaways and Contests by RafflePress plugin to version 1.12.21 or later. Consider implementing stricter input validation and CSRF token validation as additional security measures.
As of the current assessment, there are no confirmed reports of active exploitation of CVE-2025-66064, but it's crucial to apply the patch promptly.
Refer to the official RafflePress website or their WordPress plugin repository page for the latest security advisory and update information regarding CVE-2025-66064.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.