Platform
wordpress
Component
ctl-arcade-lite
Opgelost in
1.0.1
CVE-2025-11886 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the CTL Arcade Lite plugin for WordPress. This flaw allows unauthenticated attackers to potentially manipulate plugin settings, such as deactivating or activating plugins, by crafting malicious requests. The vulnerability impacts versions 1.0.0 through 1.0 of the plugin. A fix is expected in a future release.
The primary impact of this CSRF vulnerability lies in the potential for unauthorized plugin management. An attacker could craft a malicious link or embed a hidden form that, when visited or submitted by a site administrator, would trigger actions on the WordPress site without the administrator's explicit consent. This could lead to the deactivation of critical plugins, disrupting site functionality, or the activation of malicious plugins that could compromise the entire WordPress installation. The blast radius extends to any site utilizing the vulnerable CTL Arcade Lite plugin, particularly those with administrative access that could be targeted.
CVE-2025-11886 is not currently listed on KEV. The EPSS score is likely low, given the requirement for administrator interaction. Public proof-of-concept exploits are not currently known. The vulnerability was publicly disclosed on 2025-11-11. There are no indications of active exploitation campaigns at this time.
WordPress websites utilizing the CTL Arcade Lite plugin are at risk. Sites with shared hosting environments or those where administrative privileges are not carefully managed are particularly vulnerable. Administrators who frequently click on links from untrusted sources are also at higher risk.
• wordpress / composer / npm:
grep -r 'ctl_arcade_lite_page_manage_games' /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list --status=active | grep ctl-arcade-lite• wordpress / composer / npm:
wp plugin auto-update ctl-arcade-litedisclosure
Exploit Status
EPSS
0.03% (8% percentiel)
CISA SSVC
CVSS-vector
The immediate mitigation for CVE-2025-11886 is to upgrade to a patched version of the CTL Arcade Lite plugin as soon as it becomes available. Until a patch is released, consider implementing stricter access controls and user awareness training to minimize the risk of successful CSRF attacks. Web Application Firewalls (WAFs) configured to detect and block CSRF attacks can provide an additional layer of protection. Monitor WordPress plugin activity logs for suspicious requests. After upgrading, confirm the vulnerability is resolved by attempting a CSRF attack via a known vulnerable endpoint and verifying that the request is blocked or fails.
Werk de CTL Arcade Lite plugin bij naar de laatste beschikbare versie om de Cross-Site Request Forgery kwetsbaarheid te mitigeren. Zorg ervoor dat alle sitebeheerders op de hoogte zijn van deze update en deze zo snel mogelijk toepassen om de site te beschermen tegen mogelijke aanvallen.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-11886 is a Cross-Site Request Forgery (CSRF) vulnerability in the CTL Arcade Lite WordPress plugin, allowing attackers to manipulate plugin settings without explicit admin consent.
You are affected if your WordPress site uses CTL Arcade Lite plugin versions 1.0.0–1.0. Upgrade to a patched version as soon as it's available.
Upgrade to the latest version of the CTL Arcade Lite plugin once a patch is released. Until then, implement WAF rules and user awareness training.
There are currently no indications of active exploitation campaigns for CVE-2025-11886.
Check the CTL Arcade Lite plugin's official website or WordPress plugin repository for updates and security advisories related to CVE-2025-11886.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.