Plataforma
wordpress
Componente
rabbit-hole
Corrigido em
1.1.1
CVE-2025-13366 describes a Cross-Site Request Forgery (XSRF) vulnerability affecting the Rabbit Hole plugin for WordPress. This flaw allows unauthenticated attackers to manipulate the plugin's settings by tricking administrators into performing actions, such as clicking malicious links. The vulnerability impacts versions 0.0.0 through 1.1 and can lead to unauthorized configuration changes.
The primary impact of CVE-2025-13366 is the potential for an attacker to reset the Rabbit Hole plugin's settings without authentication. This could involve altering critical configurations, disabling features, or introducing malicious code. Because the reset operation is performed via a GET request, exploitation is simplified, requiring only a crafted link or image tag to trigger the action. Successful exploitation could compromise the integrity of the WordPress site and potentially lead to further attacks if the plugin's settings control access to sensitive data or functionality.
CVE-2025-13366 was publicly disclosed on 2025-12-12. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability's ease of exploitation (GET request) suggests a potential for opportunistic attacks. It is not currently listed on the CISA KEV catalog.
WordPress sites utilizing the Rabbit Hole plugin, particularly those with site administrators who are susceptible to social engineering attacks or who frequently click on links from untrusted sources, are at risk. Shared hosting environments where multiple websites share the same server resources may also be vulnerable if one site is compromised.
• wordpress / composer / npm:
grep -r 'reset_options' /var/www/html/wp-content/plugins/rabbit-hole/• wordpress / composer / npm:
wp plugin list --status=all | grep 'rabbit-hole'• wordpress / composer / npm:
wp plugin update rabbit-hole• generic web: Check WordPress plugin directory for updates to Rabbit Hole.
disclosure
Status do Exploit
EPSS
0.02% (percentil 3%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-13366 is to upgrade the Rabbit Hole plugin to a version that addresses the XSRF vulnerability. Since no fixed version is provided, monitor the plugin developer's website for updates. As a temporary workaround, restrict access to the plugin's reset functionality using a WordPress firewall (WAF) or by implementing custom access controls. Carefully review any links or actions requested by administrators to prevent accidental exploitation.
Nenhum patch conhecido disponível. Por favor, revise os detalhes da vulnerabilidade em profundidade e empregue mitigações com base na tolerância ao risco da sua organização. Pode ser melhor desinstalar o software afetado e encontrar um substituto.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-13366 is a Cross-Site Request Forgery (XSRF) vulnerability in the Rabbit Hole WordPress plugin, allowing attackers to potentially reset plugin settings without authentication.
If you are using Rabbit Hole plugin versions 0.0.0 through 1.1, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as it's available.
The recommended fix is to upgrade the Rabbit Hole plugin to a version that addresses the XSRF vulnerability. Monitor the plugin developer's website for updates. Implement WAF rules as a temporary workaround.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests a potential for opportunistic attacks.
Check the Rabbit Hole plugin developer's website and the WordPress plugin directory for official advisories and updates related to CVE-2025-13366.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.