平台
wordpress
组件
peer-publish
修复版本
1.0.1
CVE-2025-12587 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the Peer Publish plugin for WordPress. This flaw allows unauthenticated attackers to manipulate website configurations, such as adding, modifying, or deleting websites, if they can trick an administrator into performing actions via a forged request. The vulnerability impacts versions 1.0.0 through 1.0, and a fix is pending.
The core impact of this CSRF vulnerability lies in the potential for unauthorized modification of website configurations. An attacker could leverage this to add malicious websites, alter existing settings to redirect traffic or inject malicious code, or even delete legitimate websites. Successful exploitation could lead to a complete compromise of the WordPress site's functionality and data integrity. The attack vector relies on social engineering – tricking an administrator into clicking a malicious link or visiting a crafted page. While requiring user interaction, the ease of crafting such attacks makes this a significant risk.
This vulnerability was publicly disclosed on 2025-11-25. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Given the relatively straightforward nature of CSRF exploitation and the plugin's functionality, it is reasonable to expect that attackers may begin targeting vulnerable installations.
WordPress websites utilizing the Peer Publish plugin, particularly those with shared hosting environments or where administrator accounts are not adequately secured, are at heightened risk. Sites with less stringent URL filtering and those where administrators are prone to clicking on suspicious links are also more vulnerable.
• wordpress / composer / npm:
grep -r 'Peer Publish' /var/www/html/wp-content/plugins/
wp plugin list --status=all | grep 'Peer Publish'• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=peer_publish_add_websitedisclosure
漏洞利用状态
EPSS
0.02% (3% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation is to upgrade to a patched version of the Peer Publish plugin as soon as it becomes available. Until then, consider implementing temporary workarounds. Restrict administrator access to only essential tasks and implement strict URL filtering to prevent access to potentially malicious sites. Employ a Web Application Firewall (WAF) with CSRF protection rules to block forged requests. Regularly review website configurations for any unauthorized changes. After upgrading, confirm the fix by attempting a CSRF attack on the website management pages and verifying that the request is blocked.
没有已知的补丁可用。请深入审查漏洞的详细信息,并根据您组织的风险承受能力采取缓解措施。最好卸载受影响的软件并寻找替代方案。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-12587 is a Cross-Site Request Forgery (CSRF) vulnerability in the Peer Publish WordPress plugin, allowing attackers to manipulate website configurations via forged requests.
You are affected if you are using Peer Publish WordPress plugin versions 1.0.0–1.0 and have not upgraded to a patched version.
Upgrade to a patched version of the Peer Publish plugin as soon as it becomes available. Implement temporary workarounds like URL filtering and WAF rules until the upgrade.
No active exploitation has been confirmed at this time, but the vulnerability's nature suggests potential for future attacks.
Check the Peer Publish plugin's official website or WordPress plugin repository for updates and security advisories related to CVE-2025-12587.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。