プラットフォーム
wordpress
コンポーネント
wp-landing-page
修正版
0.9.4
CVE-2025-13629 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the WP Landing Page plugin for WordPress. This flaw allows unauthenticated attackers to manipulate post meta data by crafting malicious requests, potentially leading to unauthorized modifications of website content. The vulnerability affects versions from 0.0.0 up to and including 0.9.3. A fix is expected in a future plugin release.
The primary impact of this CSRF vulnerability lies in the ability of an attacker to modify post meta data without proper authentication. This could involve altering page content, changing settings, or injecting malicious code. A successful attack requires the attacker to trick a site administrator into clicking a specially crafted link or visiting a malicious webpage. The blast radius is limited to the affected WordPress site and its associated data, but the potential for defacement or data manipulation is significant. This vulnerability is similar to other CSRF flaws where user actions are performed without proper authorization.
CVE-2025-13629 was publicly disclosed on 2025-12-06. There is no indication of this vulnerability being actively exploited at this time. The EPSS score is pending evaluation. No public proof-of-concept (PoC) code has been released, but the vulnerability's nature makes it relatively straightforward to exploit given a targeted attack scenario.
WordPress websites utilizing the WP Landing Page plugin, particularly those with administrative access that could be tricked into clicking malicious links, are at risk. Shared hosting environments where multiple websites share the same server resources are also potentially vulnerable, as a compromise of one site could lead to attacks against others.
• wordpress / composer / npm:
grep -r 'wplp_api_update_text' /var/www/html/wp-content/plugins/wp-landing-page/• wordpress / composer / npm:
wp plugin list --status=all | grep 'wp-landing-page'• wordpress / composer / npm:
wp plugin update wp-landing-page --alldisclosure
エクスプロイト状況
EPSS
0.02% (3% パーセンタイル)
CISA SSVC
CVSS ベクトル
The immediate mitigation for CVE-2025-13629 is to upgrade to a patched version of the WP Landing Page plugin as soon as it becomes available. Until then, implement a Web Application Firewall (WAF) with CSRF protection rules to filter out malicious requests. Alternatively, consider using a WordPress security plugin that provides CSRF protection. Carefully review any suspicious URLs or requests before clicking on them, and educate administrators about the risks of CSRF attacks. After applying a WAF rule or upgrading the plugin, verify the mitigation by attempting to trigger the vulnerable endpoint with a forged request and confirming that it is blocked or fails.
既知の修正パッチはありません。脆弱性の詳細を詳細に検討し、組織のリスク許容度に基づいて軽減策を講じてください。影響を受けるソフトウェアをアンインストールし、代替手段を見つけるのが最善かもしれません。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-13629 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the WP Landing Page plugin for WordPress versions 0.0.0–0.9.3, allowing attackers to modify post meta data via forged requests.
If you are using the WP Landing Page plugin in WordPress versions 0.0.0 through 0.9.3, you are potentially affected by this vulnerability. Upgrade as soon as a patch is available.
The recommended fix is to upgrade to a patched version of the WP Landing Page plugin. Until then, implement a WAF with CSRF protection or use a WordPress security plugin.
There is currently no public evidence of CVE-2025-13629 being actively exploited, but the vulnerability's nature makes it a potential target.
Please refer to the WP Landing Page plugin's official website or WordPress plugin repository for updates and advisories regarding CVE-2025-13629.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。