平台
wordpress
组件
auto-prune-posts
修复版本
3.0.1
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Auto Prune Posts WordPress plugin. This flaw allows an attacker to trick authenticated users into performing actions they didn't intend, potentially leading to data deletion or configuration changes. The vulnerability affects versions from 0.0.0 through 3.0.0, and a fix is available in version 3.1.0.
The CSRF vulnerability in Auto Prune Posts allows an attacker to execute actions on behalf of a logged-in user without their knowledge. This could involve deleting posts, modifying pruning schedules, or altering other plugin settings. The impact is amplified if the affected WordPress site has administrative privileges assigned to the user being targeted. A successful attack could lead to data loss, disruption of service, and potential compromise of the entire WordPress installation. While no specific real-world exploitation has been publicly reported, CSRF vulnerabilities are frequently exploited in WordPress environments.
This vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, suggesting a low to medium probability of active exploitation. The vulnerability was disclosed on 2025-11-13. The CVSS score of 6.5 (MEDIUM) reflects the potential impact and relative ease of exploitation.
WordPress websites using the Auto Prune Posts plugin in versions 0.0.0 through 3.0.0 are at risk. This includes sites with administrative users who frequently interact with the plugin, as they are the most likely targets for CSRF attacks. Shared hosting environments where multiple websites share the same server resources are also at increased risk.
• wordpress / composer / npm:
grep -r 'wp_nonce_field' /var/www/html/wp-content/plugins/auto-prune-posts/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/auto-prune-posts/ | grep -i 'referer'disclosure
漏洞利用状态
EPSS
0.03% (7% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-64262 is to upgrade the Auto Prune Posts plugin to version 3.1.0 or later. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) with CSRF protection rules. Additionally, ensure that all users are educated about the risks of clicking on suspicious links or visiting untrusted websites. Implement strict content security policies (CSP) to limit the sources from which scripts can be executed. After upgrading, verify the plugin's functionality and confirm that the CSRF protection is active by attempting to trigger a pruning action with a manipulated request.
更新到 3.1.0 版本,或更新的修复版本
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-64262 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Auto Prune Posts WordPress plugin, allowing attackers to perform unauthorized actions.
You are affected if you are using Auto Prune Posts versions 0.0.0 through 3.0.0. Upgrade to 3.1.0 or later to mitigate the risk.
Upgrade the Auto Prune Posts plugin to version 3.1.0 or later. Consider implementing WAF rules and educating users about CSRF risks.
While no active exploitation has been publicly confirmed, CSRF vulnerabilities are frequently targeted, so vigilance is advised.
Refer to the plugin developer's website or the WordPress plugin repository for the latest advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。