プラットフォーム
wordpress
コンポーネント
adstxt-guru-connect
修正版
1.1.2
A Cross-Site Request Forgery (CSRF) vulnerability exists in ads.txt Guru Connect, allowing attackers to execute unauthorized actions on behalf of authenticated users. This vulnerability can lead to unintended modifications of ad configurations and potentially compromise the integrity of ad management settings. Versions 0.0.0 through 1.1.1 are affected, and a patch is available in version 1.1.2.
The CSRF vulnerability in ads.txt Guru Connect allows an attacker to craft malicious requests that appear to originate from a legitimate user. Successful exploitation could enable an attacker to modify ad settings, add or remove ad networks, or even alter the ads.txt file itself, potentially impacting ad revenue and publisher control. The impact is amplified if the application is used by multiple publishers or has shared hosting configurations, as a single compromised account could affect numerous ad setups. While no direct precedent exists for this specific vulnerability, CSRF attacks are well-understood and frequently exploited, making this a high-priority concern.
The vulnerability was published on 2025-08-20. Severity is currently assessed as CRITICAL (CVSS 9.6). No public Proof-of-Concept (POC) exploits are currently known. The vulnerability is not listed on KEV or EPSS, suggesting a low to medium probability of active exploitation at this time. Monitor vendor advisories and security news for updates.
エクスプロイト状況
EPSS
0.02% (6% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-49381 is to upgrade to version 1.1.2 of ads.txt Guru Connect. If upgrading immediately is not feasible, implement temporary workarounds such as adding CSRF tokens to all sensitive forms and API endpoints. Consider implementing a Content Security Policy (CSP) with strict directives to limit the sources from which scripts can be executed. Web Application Firewalls (WAFs) configured to detect and block CSRF attacks can also provide an additional layer of defense. After upgrading, confirm the fix by attempting to submit a forged request and verifying that it is rejected.
Actualice el plugin ads.txt Guru Connect a la última versión disponible para mitigar la vulnerabilidad de Cross-Site Request Forgery (CSRF). Verifique las actualizaciones en el repositorio de WordPress o en el sitio web del desarrollador. Implemente medidas de seguridad adicionales, como la validación de tokens CSRF, para reforzar la protección.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-49381 is a critical Cross-Site Request Forgery (CSRF) vulnerability affecting ads.txt Guru Connect versions 0.0.0–1.1.1, allowing attackers to forge requests and potentially modify ad settings.
You are affected if you are using ads.txt Guru Connect versions 0.0.0 through 1.1.1. Upgrade to version 1.1.2 to mitigate the vulnerability.
The recommended fix is to upgrade to version 1.1.2 of ads.txt Guru Connect. As a temporary workaround, implement CSRF tokens and consider a Content Security Policy (CSP).
Currently, no public Proof-of-Concept (POC) exploits are known, and the vulnerability is not listed on KEV or EPSS, suggesting a low to medium probability of active exploitation.
Refer to the ads.txt Guru Connect official website or security advisory channels for the latest information and updates regarding CVE-2025-49381.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。