MEDIUMCVE-2025-68082CVSS 5.4

WordPress Semrush Content Toolkit 插件 <= 1.1.32 - 跨站请求伪造 (CSRF) 漏洞

Q: What is CVE-2025-68082 — CSRF in Semrush Content Toolkit?

CVE-2025-68082 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Semrush Content Toolkit versions 0.0.0–1.1.32, allowing attackers to perform unauthorized actions.

Q: Am I affected by CVE-2025-68082 in Semrush Content Toolkit?

You are affected if you are using Semrush Content Toolkit versions 0.0.0 through 1.1.32. Upgrade to 1.1.33 to mitigate the risk.

Q: How do I fix CVE-2025-68082 in Semrush Content Toolkit?

Upgrade the Semrush Content Toolkit plugin to version 1.1.33 or later. Consider implementing stricter input validation and CSP headers as additional security measures.

Q: Is CVE-2025-68082 being actively exploited?

There is no confirmed active exploitation of CVE-2025-68082 at this time, but the risk remains until the vulnerability is patched.

Q: Where can I find the official Semrush advisory for CVE-2025-68082?

Refer to the Semrush security advisory for details and updates regarding CVE-2025-68082: [https://www.semrush.com/security/advisories/](https://www.semrush.com/security/advisories/)

平台

wordpress

组件

semrush-contentshake

修复版本

1.1.33

AI Confidence: highNVDEPSS 0.0%已审阅: 2026年5月

在NVD查看

保存

正在翻译为您的语言…

CVE-2025-68082 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Semrush Content Toolkit. This vulnerability allows an attacker to trick a user into performing actions they did not intend to, potentially leading to unauthorized modifications or deletions within the toolkit. The vulnerability affects versions from 0.0.0 up to and including 1.1.32, and a fix is available in version 1.1.33.

WordPress

检测此 CVE 是否影响你的项目

上传你的依赖文件，立即了解此CVE和其他CVE是否影响你。

免费扫描

影响与攻击场景翻译中…

A successful CSRF attack could allow an attacker to manipulate the Semrush Content Toolkit on behalf of an authenticated user. This could involve actions like modifying content, changing user settings, or even deleting data. The impact is directly tied to the permissions of the compromised user account. If a user with administrative privileges is targeted, the attacker could gain significant control over the toolkit's configuration and data. While CSRF typically requires social engineering to trick a user into clicking a malicious link, the potential for automated exploitation exists if the attacker can control the user's environment.

利用背景翻译中…

The vulnerability was publicly disclosed on December 16, 2025. No public proof-of-concept (PoC) code has been released at the time of this writing. The vulnerability is not currently listed on CISA KEV. The probability of exploitation is considered low to medium, pending the release of PoCs and the prevalence of targeted attacks.

哪些人处于风险中翻译中…

Websites utilizing the Semrush Content Toolkit plugin, particularly those with users who have elevated privileges within the toolkit. Shared WordPress hosting environments are also at increased risk, as vulnerabilities in plugins can impact multiple sites.

检测步骤翻译中…

• wordpress / composer / npm:

grep -r 'semrush-contentshake' /var/www/html/
wp plugin list | grep semrush-contentshake

• generic web:

curl -I https://your-wordpress-site.com/wp-content/plugins/semrush-contentshake/ | grep Content-Security-Policy

攻击时间线

2025-12-16Disclosure
disclosure

威胁情报

漏洞利用状态

概念验证未知

CISA KEVNO

互联网暴露高

EPSS

0.02% (5% 百分位)

CISA SSVC

利用情况none

可自动化no

技术影响partial

CVSS 向量

这些指标意味着什么？

Attack Vector: 网络 — 可通过互联网远程利用，无需物理或本地访问。攻击面最大。
Attack Complexity: 低 — 无需特殊条件，可以稳定地利用漏洞。
Privileges Required: 无 — 无需认证，无需凭证即可利用。
User Interaction: 需要 — 受害者必须打开文件、点击链接或访问特制页面。
Scope: 未改变 — 影响仅限于脆弱组件本身。
Confidentiality: 无 — 无机密性影响。
Integrity: 低 — 攻击者可修改部分数据，影响有限。
Availability: 低 — 部分或间歇性拒绝服务。

受影响的软件

组件semrush-contentshake

供应商wordfence

影响范围修复版本

0.0.0 – 1.1.321.1.33

软件包信息

活跃安装数: 2K小众
插件评分: 2.6
需要WordPress版本: 5.0+
兼容至: 6.8.5

弱点分类 (CWE)

CWE-352

时间线

已保留2025-12-15
发布日期2025-12-16
修改日期2026-04-28
EPSS 更新日期2026-03-23

缓解措施和替代方案翻译中…

The primary mitigation for CVE-2025-68082 is to upgrade the Semrush Content Toolkit to version 1.1.33 or later. If immediate upgrading is not possible, consider implementing stricter input validation and output encoding within the application to reduce the attack surface. Additionally, enabling Content Security Policy (CSP) headers can help prevent the browser from executing malicious scripts from untrusted sources. While a direct WAF rule is unlikely, generic CSRF protection rules might offer some limited defense. After upgrading, verify the fix by attempting a CSRF attack against a test user account and confirming that the attack is blocked.

修复方法

更新到 1.1.33 版本，或更新的修复版本

CVE 安全通讯

漏洞分析和关键警报直接发送到您的邮箱。

常见问题翻译中…

What is CVE-2025-68082 — CSRF in Semrush Content Toolkit?

CVE-2025-68082 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Semrush Content Toolkit versions 0.0.0–1.1.32, allowing attackers to perform unauthorized actions.

Am I affected by CVE-2025-68082 in Semrush Content Toolkit?

You are affected if you are using Semrush Content Toolkit versions 0.0.0 through 1.1.32. Upgrade to 1.1.33 to mitigate the risk.

How do I fix CVE-2025-68082 in Semrush Content Toolkit?

Upgrade the Semrush Content Toolkit plugin to version 1.1.33 or later. Consider implementing stricter input validation and CSP headers as additional security measures.

Is CVE-2025-68082 being actively exploited?

There is no confirmed active exploitation of CVE-2025-68082 at this time, but the risk remains until the vulnerability is patched.

Where can I find the official Semrush advisory for CVE-2025-68082?

Refer to the Semrush security advisory for details and updates regarding CVE-2025-68082: [https://www.semrush.com/security/advisories/](https://www.semrush.com/security/advisories/)

你的项目受影响吗?

上传你的依赖文件，立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE