1.1.1
CVE-2025-13366 describes a Cross-Site Request Forgery (XSRF) vulnerability affecting the Rabbit Hole plugin for WordPress. This flaw allows unauthenticated attackers to manipulate the plugin's settings by tricking administrators into performing actions, such as clicking malicious links. The vulnerability impacts versions 0.0.0 through 1.1 and can lead to unauthorized configuration changes.
The primary impact of CVE-2025-13366 is the potential for an attacker to reset the Rabbit Hole plugin's settings without authentication. This could involve altering critical configurations, disabling features, or introducing malicious code. Because the reset operation is performed via a GET request, exploitation is simplified, requiring only a crafted link or image tag to trigger the action. Successful exploitation could compromise the integrity of the WordPress site and potentially lead to further attacks if the plugin's settings control access to sensitive data or functionality.
CVE-2025-13366 was publicly disclosed on 2025-12-12. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability's ease of exploitation (GET request) suggests a potential for opportunistic attacks. It is not currently listed on the CISA KEV catalog.
WordPress sites utilizing the Rabbit Hole plugin, particularly those with site administrators who are susceptible to social engineering attacks or who frequently click on links from untrusted sources, are at risk. Shared hosting environments where multiple websites share the same server resources may also be vulnerable if one site is compromised.
• wordpress / composer / npm:
grep -r 'reset_options' /var/www/html/wp-content/plugins/rabbit-hole/• wordpress / composer / npm:
wp plugin list --status=all | grep 'rabbit-hole'• wordpress / composer / npm:
wp plugin update rabbit-hole• generic web: Check WordPress plugin directory for updates to Rabbit Hole.
disclosure
漏洞利用状态
EPSS
0.02% (3% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-13366 is to upgrade the Rabbit Hole plugin to a version that addresses the XSRF vulnerability. Since no fixed version is provided, monitor the plugin developer's website for updates. As a temporary workaround, restrict access to the plugin's reset functionality using a WordPress firewall (WAF) or by implementing custom access controls. Carefully review any links or actions requested by administrators to prevent accidental exploitation.
没有已知的补丁可用。请深入审查漏洞的详细信息,并根据您组织的风险承受能力采取缓解措施。最好卸载受影响的软件并寻找替代方案。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-13366 is a Cross-Site Request Forgery (XSRF) vulnerability in the Rabbit Hole WordPress plugin, allowing attackers to potentially reset plugin settings without authentication.
If you are using Rabbit Hole plugin versions 0.0.0 through 1.1, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as it's available.
The recommended fix is to upgrade the Rabbit Hole plugin to a version that addresses the XSRF vulnerability. Monitor the plugin developer's website for updates. Implement WAF rules as a temporary workaround.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests a potential for opportunistic attacks.
Check the Rabbit Hole plugin developer's website and the WordPress plugin directory for official advisories and updates related to CVE-2025-13366.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。