Platform
wordpress
Component
peer-publish
Opgelost in
1.0.1
CVE-2025-12587 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the Peer Publish plugin for WordPress. This flaw allows unauthenticated attackers to manipulate website configurations, such as adding, modifying, or deleting websites, if they can trick an administrator into performing actions via a forged request. The vulnerability impacts versions 1.0.0 through 1.0, and a fix is pending.
The core impact of this CSRF vulnerability lies in the potential for unauthorized modification of website configurations. An attacker could leverage this to add malicious websites, alter existing settings to redirect traffic or inject malicious code, or even delete legitimate websites. Successful exploitation could lead to a complete compromise of the WordPress site's functionality and data integrity. The attack vector relies on social engineering – tricking an administrator into clicking a malicious link or visiting a crafted page. While requiring user interaction, the ease of crafting such attacks makes this a significant risk.
This vulnerability was publicly disclosed on 2025-11-25. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Given the relatively straightforward nature of CSRF exploitation and the plugin's functionality, it is reasonable to expect that attackers may begin targeting vulnerable installations.
WordPress websites utilizing the Peer Publish plugin, particularly those with shared hosting environments or where administrator accounts are not adequately secured, are at heightened risk. Sites with less stringent URL filtering and those where administrators are prone to clicking on suspicious links are also more vulnerable.
• wordpress / composer / npm:
grep -r 'Peer Publish' /var/www/html/wp-content/plugins/
wp plugin list --status=all | grep 'Peer Publish'• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=peer_publish_add_websitedisclosure
Exploit Status
EPSS
0.02% (3% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation is to upgrade to a patched version of the Peer Publish plugin as soon as it becomes available. Until then, consider implementing temporary workarounds. Restrict administrator access to only essential tasks and implement strict URL filtering to prevent access to potentially malicious sites. Employ a Web Application Firewall (WAF) with CSRF protection rules to block forged requests. Regularly review website configurations for any unauthorized changes. After upgrading, confirm the fix by attempting a CSRF attack on the website management pages and verifying that the request is blocked.
Geen bekende patch beschikbaar. Bestudeer de details van de kwetsbaarheid grondig en pas mitigaties toe op basis van de risicotolerantie van uw organisatie. Het kan het beste zijn om de getroffen software te verwijderen en een vervanging te vinden.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-12587 is a Cross-Site Request Forgery (CSRF) vulnerability in the Peer Publish WordPress plugin, allowing attackers to manipulate website configurations via forged requests.
You are affected if you are using Peer Publish WordPress plugin versions 1.0.0–1.0 and have not upgraded to a patched version.
Upgrade to a patched version of the Peer Publish plugin as soon as it becomes available. Implement temporary workarounds like URL filtering and WAF rules until the upgrade.
No active exploitation has been confirmed at this time, but the vulnerability's nature suggests potential for future attacks.
Check the Peer Publish plugin's official website or WordPress plugin repository for updates and security advisories related to CVE-2025-12587.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.