2.20
CVE-2025-13684 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the ARK Related Posts plugin for WordPress. This flaw allows unauthenticated attackers to manipulate the plugin's configuration settings if they can trick a site administrator into performing a malicious action. The vulnerability impacts versions 0.0.0 through 2.19, and a fix is available in version 2.20.
The primary impact of this CSRF vulnerability is the potential for unauthorized modification of the ARK Related Posts plugin's settings. An attacker could leverage this to alter how related posts are displayed, potentially injecting malicious content or redirecting users. While the plugin itself might not contain sensitive data, changes to its configuration could impact the overall site experience and potentially be used as a stepping stone for further attacks. Successful exploitation requires the attacker to convince a site administrator to click a malicious link, making social engineering a key component of the attack. This vulnerability is similar in nature to other CSRF flaws, where an attacker leverages a user's authenticated session to perform actions on their behalf.
This vulnerability was publicly disclosed on 2025-12-05. There is currently no indication of active exploitation campaigns targeting this specific flaw. No Proof-of-Concept (PoC) code has been publicly released. The vulnerability has not been added to the CISA KEV catalog at the time of this writing.
WordPress sites utilizing the ARK Related Posts plugin, particularly those with site administrators who are susceptible to social engineering attacks, are at risk. Shared hosting environments where plugin updates are managed centrally may also be vulnerable if the plugin is not promptly updated across all sites.
• wordpress / composer / npm:
grep -r 'ark_rp_options_page' /var/www/html/wp-content/plugins/ark-related-posts/• wordpress / composer / npm:
wp plugin list | grep 'ark-related-posts'• wordpress / composer / npm:
wp plugin update ark-related-posts --version=2.20disclosure
漏洞利用状态
EPSS
0.02% (3% 百分位)
CISA SSVC
CVSS 向量
The recommended mitigation for CVE-2025-13684 is to immediately upgrade the ARK Related Posts plugin to version 2.20 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests to the arkrpoptions_page endpoint that lack proper nonce validation. Additionally, educate site administrators about the risks of clicking on suspicious links and verify the legitimacy of any requests before confirming them. Regularly review plugin configurations for any unauthorized changes.
更新到版本 2.20,或更新的修复版本
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-13684 is a Cross-Site Request Forgery (CSRF) vulnerability affecting versions 0.0.0–2.19 of the ARK Related Posts WordPress plugin, allowing attackers to modify plugin settings.
You are affected if your WordPress site uses the ARK Related Posts plugin in versions 0.0.0 through 2.19. Upgrade to 2.20 or later to resolve the issue.
Upgrade the ARK Related Posts plugin to version 2.20 or later. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
There is currently no evidence of active exploitation campaigns targeting CVE-2025-13684.
Refer to the ARK Related Posts plugin's official website or WordPress plugin repository for the latest advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。