プラットフォーム
wordpress
コンポーネント
ctl-arcade-lite
修正版
1.0.1
CVE-2025-11886 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the CTL Arcade Lite plugin for WordPress. This flaw allows unauthenticated attackers to potentially manipulate plugin settings, such as deactivating or activating plugins, by crafting malicious requests. The vulnerability impacts versions 1.0.0 through 1.0 of the plugin. A fix is expected in a future release.
The primary impact of this CSRF vulnerability lies in the potential for unauthorized plugin management. An attacker could craft a malicious link or embed a hidden form that, when visited or submitted by a site administrator, would trigger actions on the WordPress site without the administrator's explicit consent. This could lead to the deactivation of critical plugins, disrupting site functionality, or the activation of malicious plugins that could compromise the entire WordPress installation. The blast radius extends to any site utilizing the vulnerable CTL Arcade Lite plugin, particularly those with administrative access that could be targeted.
CVE-2025-11886 is not currently listed on KEV. The EPSS score is likely low, given the requirement for administrator interaction. Public proof-of-concept exploits are not currently known. The vulnerability was publicly disclosed on 2025-11-11. There are no indications of active exploitation campaigns at this time.
WordPress websites utilizing the CTL Arcade Lite plugin are at risk. Sites with shared hosting environments or those where administrative privileges are not carefully managed are particularly vulnerable. Administrators who frequently click on links from untrusted sources are also at higher risk.
• wordpress / composer / npm:
grep -r 'ctl_arcade_lite_page_manage_games' /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list --status=active | grep ctl-arcade-lite• wordpress / composer / npm:
wp plugin auto-update ctl-arcade-litedisclosure
エクスプロイト状況
EPSS
0.03% (8% パーセンタイル)
CISA SSVC
CVSS ベクトル
The immediate mitigation for CVE-2025-11886 is to upgrade to a patched version of the CTL Arcade Lite plugin as soon as it becomes available. Until a patch is released, consider implementing stricter access controls and user awareness training to minimize the risk of successful CSRF attacks. Web Application Firewalls (WAFs) configured to detect and block CSRF attacks can provide an additional layer of protection. Monitor WordPress plugin activity logs for suspicious requests. After upgrading, confirm the vulnerability is resolved by attempting a CSRF attack via a known vulnerable endpoint and verifying that the request is blocked or fails.
クロスサイトリクエストフォージェリ (Cross-Site Request Forgery) の脆弱性を軽減するために、CTL Arcade Liteプラグインを最新バージョンにアップデートしてください。すべてのサイト管理者がこのアップデートを認識し、可能な限り早く適用して、サイトを潜在的な攻撃から保護するようにしてください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-11886 is a Cross-Site Request Forgery (CSRF) vulnerability in the CTL Arcade Lite WordPress plugin, allowing attackers to manipulate plugin settings without explicit admin consent.
You are affected if your WordPress site uses CTL Arcade Lite plugin versions 1.0.0–1.0. Upgrade to a patched version as soon as it's available.
Upgrade to the latest version of the CTL Arcade Lite plugin once a patch is released. Until then, implement WAF rules and user awareness training.
There are currently no indications of active exploitation campaigns for CVE-2025-11886.
Check the CTL Arcade Lite plugin's official website or WordPress plugin repository for updates and security advisories related to CVE-2025-11886.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。