プラットフォーム
wordpress
コンポーネント
meks-quick-plugin-disabler
修正版
1.0.1
CVE-2025-68083 identifies a Cross-Site Request Forgery (CSRF) vulnerability within the Meks Quick Plugin Disabler WordPress plugin. This flaw allows an attacker to potentially execute unauthorized actions on a user's account if they are tricked into clicking a malicious link. The vulnerability impacts versions from 0.0.0 through 1.0, and a patch is expected from the vendor.
A successful CSRF attack could allow an attacker to modify plugin settings, disable plugins, or perform other administrative actions as the logged-in user. This could lead to website defacement, data breaches, or even complete compromise of the WordPress installation. The impact is amplified if the affected user has administrator privileges, granting the attacker broad control over the website. While CSRF typically requires social engineering to trick a user into clicking a malicious link, the potential consequences can be severe.
This vulnerability was publicly disclosed on 2025-12-16. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Exploitation probability is considered low due to the reliance on social engineering and the lack of readily available exploits.
Websites utilizing the Meks Quick Plugin Disabler plugin, particularly those running older, unpatched versions (0.0.0–1.0), are at risk. Shared hosting environments where plugin updates are not managed by the user are also particularly vulnerable.
• wordpress / composer / npm:
grep -r 'meks-quick-plugin-disabler/index.php' /var/www/html/• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=meks_quick_plugin_disabler_disable_plugin&plugin=some-plugin | grep -i '200 OK'disclosure
エクスプロイト状況
EPSS
0.02% (5% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation is to upgrade to a patched version of the Meks Quick Plugin Disabler plugin as soon as it becomes available. Until a patch is released, consider implementing a Content Security Policy (CSP) to restrict the sources from which the browser can load resources. Additionally, utilize WordPress's built-in CSRF protection mechanisms, ensuring that all sensitive actions require authentication and validation. Monitor WordPress activity logs for suspicious requests originating from unexpected sources.
既知の修正パッチはありません。脆弱性の詳細を詳細に検討し、組織のリスク許容度に基づいて軽減策を実施してください。影響を受けるソフトウェアをアンインストールし、代替手段を見つけるのが最善かもしれません。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-68083 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Meks Quick Plugin Disabler WordPress plugin, allowing attackers to perform unauthorized actions.
You are affected if you are using the Meks Quick Plugin Disabler plugin in versions 0.0.0 through 1.0. Upgrade as soon as a patch is available.
Upgrade to the latest version of the plugin as soon as a patch is released by the vendor. Implement CSP and monitor activity logs in the interim.
There are currently no confirmed reports of active exploitation, but the vulnerability remains a potential risk.
Check the official Meks Quick Plugin Disabler website or WordPress plugin repository for updates and advisories related to this vulnerability.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。