Platform
wordpress
Component
rabbit-hole
Opgelost in
1.1.1
CVE-2025-13366 describes a Cross-Site Request Forgery (XSRF) vulnerability affecting the Rabbit Hole plugin for WordPress. This flaw allows unauthenticated attackers to manipulate the plugin's settings by tricking administrators into performing actions, such as clicking malicious links. The vulnerability impacts versions 0.0.0 through 1.1 and can lead to unauthorized configuration changes.
The primary impact of CVE-2025-13366 is the potential for an attacker to reset the Rabbit Hole plugin's settings without authentication. This could involve altering critical configurations, disabling features, or introducing malicious code. Because the reset operation is performed via a GET request, exploitation is simplified, requiring only a crafted link or image tag to trigger the action. Successful exploitation could compromise the integrity of the WordPress site and potentially lead to further attacks if the plugin's settings control access to sensitive data or functionality.
CVE-2025-13366 was publicly disclosed on 2025-12-12. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability's ease of exploitation (GET request) suggests a potential for opportunistic attacks. It is not currently listed on the CISA KEV catalog.
WordPress sites utilizing the Rabbit Hole plugin, particularly those with site administrators who are susceptible to social engineering attacks or who frequently click on links from untrusted sources, are at risk. Shared hosting environments where multiple websites share the same server resources may also be vulnerable if one site is compromised.
• wordpress / composer / npm:
grep -r 'reset_options' /var/www/html/wp-content/plugins/rabbit-hole/• wordpress / composer / npm:
wp plugin list --status=all | grep 'rabbit-hole'• wordpress / composer / npm:
wp plugin update rabbit-hole• generic web: Check WordPress plugin directory for updates to Rabbit Hole.
disclosure
Exploit Status
EPSS
0.02% (3% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-13366 is to upgrade the Rabbit Hole plugin to a version that addresses the XSRF vulnerability. Since no fixed version is provided, monitor the plugin developer's website for updates. As a temporary workaround, restrict access to the plugin's reset functionality using a WordPress firewall (WAF) or by implementing custom access controls. Carefully review any links or actions requested by administrators to prevent accidental exploitation.
Geen bekende patch beschikbaar. Bestudeer de details van de kwetsbaarheid grondig en pas mitigaties toe op basis van de risicotolerantie van uw organisatie. Het kan het beste zijn om de getroffen software te verwijderen en een vervanging te vinden.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-13366 is a Cross-Site Request Forgery (XSRF) vulnerability in the Rabbit Hole WordPress plugin, allowing attackers to potentially reset plugin settings without authentication.
If you are using Rabbit Hole plugin versions 0.0.0 through 1.1, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as it's available.
The recommended fix is to upgrade the Rabbit Hole plugin to a version that addresses the XSRF vulnerability. Monitor the plugin developer's website for updates. Implement WAF rules as a temporary workaround.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests a potential for opportunistic attacks.
Check the Rabbit Hole plugin developer's website and the WordPress plugin directory for official advisories and updates related to CVE-2025-13366.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.