プラットフォーム
wordpress
コンポーネント
userswp
修正版
1.2.49
CVE-2025-67593 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the UsersWP WordPress plugin. This vulnerability allows an attacker to potentially perform unauthorized actions on a user's account if they can trick the user into clicking a malicious link. The vulnerability impacts versions of UsersWP from 0.0.0 through 1.2.48, and a patch is available in version 1.2.49.
A successful CSRF attack could allow an attacker to modify user roles, change passwords, or perform other administrative actions within the WordPress site, all without the user's knowledge or consent. The impact is particularly severe if the attacker can target users with administrative privileges, potentially gaining full control of the website. This vulnerability is similar to other CSRF flaws where user interaction is required, but the potential for unauthorized actions remains significant, especially in environments with shared hosting or where users frequently click on external links.
CVE-2025-67593 was publicly disclosed on 2025-12-09. There is no indication of active exploitation campaigns at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, but the CSRF nature of the vulnerability means that exploitation is relatively straightforward once a suitable attack vector is identified.
Websites using the UsersWP plugin, particularly those with administrative users or those that allow users to manage other users' accounts, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise on one site could potentially impact others.
• wordpress / composer / npm:
grep -r 'userswp_ajax_nonce' /var/www/html/wp-content/plugins/userswp/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/userswp/ | grep -i 'csrf-token'disclosure
エクスプロイト状況
EPSS
0.02% (5% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-67593 is to immediately upgrade the UsersWP plugin to version 1.2.49 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) with CSRF protection rules. Additionally, ensure that users are educated about the risks of clicking on suspicious links and entering credentials on untrusted websites. After upgrading, verify the fix by attempting to trigger a CSRF attack using a known payload and confirming that the action is blocked.
バージョン 1.2.49 以上、または最新の修正バージョンにアップデートしてください
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-67593 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the UsersWP WordPress plugin, allowing attackers to perform unauthorized actions.
You are affected if you are using UsersWP versions 0.0.0 through 1.2.48. Upgrade to 1.2.49 or later to mitigate the risk.
Upgrade the UsersWP plugin to version 1.2.49 or later. Consider WAF rules as a temporary workaround if upgrading is not immediately possible.
There is currently no evidence of active exploitation, but the CSRF nature of the vulnerability means exploitation is possible.
Refer to the UsersWP plugin's official website or WordPress plugin repository for the latest advisory and update information.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。