プラットフォーム
wordpress
コンポーネント
rtl-tester
修正版
1.2.1
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the RTL Tester WordPress plugin. This flaw allows an attacker to trick authenticated users into performing actions they did not intend to, potentially leading to unauthorized modifications or deletions within the plugin's functionality. The vulnerability affects versions from 0.0.0 up to and including 1.2. A fix is available via plugin update.
The CSRF vulnerability in RTL Tester allows an attacker to craft malicious requests that appear to originate from a legitimate user. If a user is logged into WordPress and visits a website containing a crafted CSRF request targeting RTL Tester, the attacker can execute actions as that user. This could include modifying RTL Tester settings, deleting test configurations, or potentially accessing sensitive data managed by the plugin. The blast radius is limited to the scope of actions the user has within the RTL Tester plugin itself, but successful exploitation could disrupt testing workflows or compromise data integrity.
As of the publication date (2025-12-16), there is no indication of active exploitation of CVE-2025-64239. No public proof-of-concept (POC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The medium CVSS score suggests a moderate level of potential risk, and monitoring for exploitation is recommended.
WordPress websites utilizing the RTL Tester plugin, particularly those running vulnerable versions (0.0.0–1.2), are at risk. Shared hosting environments where plugin updates are managed centrally should be prioritized for remediation. Developers integrating RTL Tester into custom WordPress themes or plugins also need to address this vulnerability.
• wordpress / composer / npm:
grep -r "rtl-tester/rtl-tester.php" /var/www/html/• wordpress / composer / npm:
wp plugin list --status=inactive | grep rtl-tester• wordpress / composer / npm:
wp plugin list | grep rtl-testerdisclosure
エクスプロイト状況
EPSS
0.02% (5% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-64239 is to upgrade the RTL Tester plugin to a version containing the fix. If upgrading immediately is not feasible due to compatibility concerns or testing requirements, consider implementing a Web Application Firewall (WAF) rule to filter out suspicious requests containing CSRF tokens. Additionally, ensure users are educated about the risks of clicking on links from untrusted sources. After upgrading, verify the fix by attempting to trigger a CSRF request using a tool like Burp Suite and confirming that the request is blocked or fails.
既知の修正パッチはありません。脆弱性の詳細を詳細に検討し、組織のリスク許容度に基づいて軽減策を実施してください。影響を受けるソフトウェアをアンインストールし、代替手段を見つけるのが最善かもしれません。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-64239 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the RTL Tester WordPress plugin, allowing attackers to perform unauthorized actions as logged-in users.
You are affected if your WordPress site uses RTL Tester version 0.0.0 through 1.2. Check your plugin versions and update immediately.
Upgrade the RTL Tester plugin to the latest available version, which contains the fix for this CSRF vulnerability. Consider WAF rules as a temporary workaround.
As of December 16, 2025, there is no evidence of active exploitation, but monitoring is recommended.
Check the RTL Tester plugin's official website or WordPress plugin repository for the advisory and update information.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。