प्लेटफ़ॉर्म
wordpress
घटक
coil-web-monetization
में ठीक किया गया
2.0.3
CVE-2025-9625 describes a Cross-Site Request Forgery (XSRF) vulnerability discovered in the Coil Web Monetization plugin for WordPress. This flaw allows unauthenticated attackers to potentially trigger CSS selector detection functionality by crafting malicious requests. The vulnerability affects versions from 0.0.0 through 2.0.2, and a fix is available in version 2.0.3.
The core of the vulnerability lies in the inadequate nonce validation within the mayberestrictcontent function when handling the coil-get-css-selector parameter. An attacker can leverage this to forge requests that appear to originate from a legitimate administrator. Successful exploitation could lead to unintended CSS selector detection actions being performed on the WordPress site, potentially altering the site's appearance or behavior. While the direct impact might seem limited, the ability to manipulate site content via XSRF, especially with administrator privileges, presents a significant security risk. The attack requires tricking a site administrator into clicking a malicious link, making social engineering a key component of exploitation.
This vulnerability was publicly disclosed on 2025-11-18. No public proof-of-concept (PoC) code has been released at the time of writing, but the relatively straightforward nature of XSRF vulnerabilities suggests that a PoC could emerge. The vulnerability is not currently listed on the CISA KEV catalog. Given the ease of exploitation once a PoC is available and the potential for widespread impact across WordPress sites using the plugin, it warrants close monitoring.
WordPress sites utilizing the Coil Web Monetization plugin, particularly those with administrator accounts that are frequently targeted by phishing or social engineering attacks, are at risk. Shared hosting environments where multiple websites share the same server resources are also potentially vulnerable, as a compromise on one site could lead to attacks against others.
• wordpress / composer / npm:
grep -r 'coil-get-css-selector' /var/www/html/wp-content/plugins/coil-web-monetization/• wordpress / composer / npm:
wp plugin list --status=all | grep 'coil-web-monetization'• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
wp plugin status coil-web-monetizationdisclosure
एक्सप्लॉइट स्थिति
EPSS
0.03% (7% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2025-9625 is to immediately upgrade the Coil Web Monetization plugin to version 2.0.3 or later. This version incorporates proper nonce validation, effectively preventing the XSRF attack. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing stricter input validation on the coil-get-css-selector parameter at the application level. While not a complete solution, this can provide an additional layer of defense. Regularly review WordPress plugin configurations and user permissions to minimize the potential impact of any successful XSRF attack.
कोई ज्ञात पैच उपलब्ध नहीं है। कृपया इस भेद्यता (vulnerability) के विवरण की गहराई से समीक्षा करें और अपने संगठन के जोखिम सहनशीलता के आधार पर शमन उपाय (mitigations) लागू करें। प्रभावित सॉफ़्टवेयर को अनइंस्टॉल करना और एक प्रतिस्थापन खोजना सबसे अच्छा हो सकता है।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2025-9625 is a Cross-Site Request Forgery (XSRF) vulnerability affecting the Coil Web Monetization WordPress plugin, allowing attackers to trigger actions via forged requests.
If you are using Coil Web Monetization versions 0.0.0 through 2.0.2 on your WordPress site, you are potentially affected by this vulnerability.
Upgrade the Coil Web Monetization plugin to version 2.0.3 or later to resolve the XSRF vulnerability. This update includes proper nonce validation.
While no active exploitation has been confirmed, the vulnerability's nature suggests it could be exploited once a proof-of-concept is available.
Refer to the official Coil Web Monetization plugin documentation or WordPress plugin repository for the latest advisory and update information.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।