プラットフォーム
wordpress
コンポーネント
wp-plugin-manager
修正版
1.4.8
CVE-2025-64271 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the HasThemes WP Plugin Manager WordPress plugin. This vulnerability allows an attacker to potentially execute unauthorized actions on a user's account if they are tricked into clicking a malicious link. The vulnerability impacts versions from 0.0 up to and including 1.4.7, and a patch has been released in version 1.4.8.
A successful CSRF attack could allow an attacker to modify plugin settings, install or uninstall plugins, or perform other administrative actions as the logged-in user. The impact is particularly severe if the targeted user has administrator privileges, as this could lead to complete compromise of the WordPress site. Attackers could leverage social engineering techniques, such as phishing emails or malicious websites, to trick users into clicking crafted links that trigger the CSRF vulnerability. This could result in unauthorized changes to the website's functionality and data, potentially leading to data breaches or website defacement.
CVE-2025-64271 was publicly disclosed on 2025-11-13. There are currently no known public proof-of-concept exploits available, but the CSRF nature of the vulnerability means that exploitation is relatively straightforward once a malicious link is crafted. The vulnerability is not currently listed on the CISA KEV catalog. Monitor security advisories and vulnerability databases for updates.
Websites using the HasThemes WP Plugin Manager plugin, particularly those with administrator accounts that are frequently targeted by phishing attacks, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one website could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r 'wp_plugin_manager' /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list --status=all | grep wp-plugin-manager• wordpress / composer / npm:
curl -I https://your-wordpress-site.com/wp-admin/plugins.php?action=install | grep wp-plugin-managerdisclosure
エクスプロイト状況
EPSS
0.03% (7% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-64271 is to immediately upgrade the WP Plugin Manager plugin to version 1.4.8 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with CSRF protection rules to filter out malicious requests. Additionally, ensure that users are educated about the risks of clicking suspicious links and are encouraged to verify the legitimacy of any requests before submitting them. Regularly review WordPress plugin permissions and restrict access to sensitive functions where possible.
バージョン 1.4.8、またはそれ以降の修正済みバージョンにアップデートしてください
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-64271 is a Cross-Site Request Forgery (CSRF) vulnerability in the HasThemes WP Plugin Manager WordPress plugin, allowing attackers to perform unauthorized actions.
You are affected if you are using WP Plugin Manager versions 0.0 through 1.4.7. Upgrade to 1.4.8 or later to mitigate the risk.
Upgrade the WP Plugin Manager plugin to version 1.4.8 or later. Consider implementing a WAF with CSRF protection as an interim measure.
While no public exploits are currently known, the CSRF nature of the vulnerability makes exploitation relatively straightforward, so vigilance is advised.
Refer to the HasThemes website and WordPress plugin repository for the latest advisory and update information.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。