プラットフォーム
wordpress
コンポーネント
facebook-photo-fetcher
修正版
3.0.5
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in JK Social Photo Fetcher, a WordPress plugin. This flaw allows attackers to potentially execute unauthorized actions on a user's account if they are tricked into clicking a malicious link. The vulnerability impacts versions from 0.0.0 up to and including 3.0.4. A patch is available to address this issue.
The CSRF vulnerability in JK Social Photo Fetcher allows an attacker to craft malicious requests that appear to originate from a legitimate user. If a user clicks on a specially crafted link, the attacker can potentially modify settings, delete data, or perform other actions as if they were the user. The impact is amplified if the user has administrative privileges, as the attacker could then gain control of the entire WordPress site. This vulnerability is similar to other CSRF flaws in WordPress plugins, where user interaction is required to trigger the attack.
This vulnerability was publicly disclosed on 2025-12-09. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. The probability of exploitation is considered medium, given the relatively simple nature of CSRF attacks and the potential for widespread impact.
Websites using JK Social Photo Fetcher, particularly those with users who have administrative privileges or handle sensitive data, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r 'facebook-photo-fetcher' /var/www/html/wp-content/plugins/
wp plugin list | grep 'facebook-photo-fetcher'• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/facebook-photo-fetcher/ | grep -i 'facebook-photo-fetcher'disclosure
エクスプロイト状況
EPSS
0.02% (5% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-62872 is to upgrade to a patched version of JK Social Photo Fetcher. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with CSRF protection rules to filter out malicious requests. Additionally, ensure users are aware of the risks of clicking on untrusted links and are encouraged to verify the authenticity of any requests before submitting them. There are no specific Sigma or YARA rules available for this particular vulnerability, but generic CSRF detection rules can be applied.
既知の修正パッチはありません。脆弱性の詳細を詳細に検討し、組織のリスク許容度に基づいて軽減策を実施してください。影響を受けるソフトウェアをアンインストールし、代替手段を見つけるのが最善かもしれません。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-62872 is a Cross-Site Request Forgery (CSRF) vulnerability in the JK Social Photo Fetcher WordPress plugin, allowing attackers to perform unauthorized actions.
You are affected if you are using JK Social Photo Fetcher versions 0.0.0 through 3.0.4. Upgrade to a patched version to resolve the issue.
Upgrade to the latest version of JK Social Photo Fetcher. If immediate upgrade is not possible, implement a WAF with CSRF protection.
There is no confirmed active exploitation of CVE-2025-62872 at this time, but the potential for exploitation exists due to the nature of CSRF vulnerabilities.
Check the official JK Social Photo Fetcher website or WordPress plugin repository for the latest advisory and patch information.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。