Foxtool All-in-One: 联系聊天按钮、自定义登录、媒体优化图片 <= 2.5.2 - 对 Google OAuth 连接的跨站请求伪造 (Cross-Site Request Forgery)

The primary impact of this CSRF vulnerability lies in the potential for unauthorized OAuth connection establishment. An attacker could craft a malicious link or embed it within a website or email, enticing a site administrator to click it. Upon clicking, the attacker could forge a request, effectively granting them access to the administrator's account and potentially compromising sensitive data or performing actions on behalf of the administrator. This could lead to unauthorized access to user information, modification of site content, or even complete control over the WordPress site, depending on the permissions associated with the administrator's account. The risk is amplified if the OAuth connection is linked to other services or APIs, potentially extending the attacker's reach beyond the WordPress site itself.

WordPress sites utilizing the Foxtool All-in-One plugin, particularly those with site administrators who frequently interact with OAuth-connected services, are at risk. Shared hosting environments where multiple WordPress sites share the same server resources are also potentially vulnerable, as a compromise of one site could lead to the exploitation of others.

• wordpress / composer / npm:

grep -r 'foxtool_login_google()' /var/www/html/wp-content/plugins/foxtool-all-in-one/

• wordpress / composer / npm:

wp plugin list | grep foxtool-all-in-one

• wordpress / composer / npm:

wp plugin update foxtool-all-in-one

1. 2025-12-12Disclosure

   disclosure

活跃安装数

7K小众

插件评分

5.0

兼容至

6.9.4

需要PHP版本

7.2+

1. 已保留2025-11-19
2. 发布日期2025-12-12
3. 修改日期2026-04-08
4. EPSS 更新日期2026-03-23

The primary mitigation for CVE-2025-13408 is to immediately upgrade the Foxtool All-in-One plugin to version 2.5.3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing stricter input validation and output encoding practices within the plugin's code to prevent the exploitation of the missing nonce validation. Additionally, implement a Web Application Firewall (WAF) with CSRF protection rules to filter out malicious requests. Educate administrators about the risks of clicking on suspicious links and encourage them to verify the authenticity of any requests before performing actions. After upgrading, confirm the fix by attempting to trigger the vulnerable function (foxtoollogingoogle()) with a forged request and verifying that the action is blocked.