平台
wordpress
组件
meks-quick-plugin-disabler
修复版本
1.0.1
CVE-2025-68083 identifies a Cross-Site Request Forgery (CSRF) vulnerability within the Meks Quick Plugin Disabler WordPress plugin. This flaw allows an attacker to potentially execute unauthorized actions on a user's account if they are tricked into clicking a malicious link. The vulnerability impacts versions from 0.0.0 through 1.0, and a patch is expected from the vendor.
A successful CSRF attack could allow an attacker to modify plugin settings, disable plugins, or perform other administrative actions as the logged-in user. This could lead to website defacement, data breaches, or even complete compromise of the WordPress installation. The impact is amplified if the affected user has administrator privileges, granting the attacker broad control over the website. While CSRF typically requires social engineering to trick a user into clicking a malicious link, the potential consequences can be severe.
This vulnerability was publicly disclosed on 2025-12-16. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Exploitation probability is considered low due to the reliance on social engineering and the lack of readily available exploits.
Websites utilizing the Meks Quick Plugin Disabler plugin, particularly those running older, unpatched versions (0.0.0–1.0), are at risk. Shared hosting environments where plugin updates are not managed by the user are also particularly vulnerable.
• wordpress / composer / npm:
grep -r 'meks-quick-plugin-disabler/index.php' /var/www/html/• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=meks_quick_plugin_disabler_disable_plugin&plugin=some-plugin | grep -i '200 OK'disclosure
漏洞利用状态
EPSS
0.02% (5% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation is to upgrade to a patched version of the Meks Quick Plugin Disabler plugin as soon as it becomes available. Until a patch is released, consider implementing a Content Security Policy (CSP) to restrict the sources from which the browser can load resources. Additionally, utilize WordPress's built-in CSRF protection mechanisms, ensuring that all sensitive actions require authentication and validation. Monitor WordPress activity logs for suspicious requests originating from unexpected sources.
目前没有已知的补丁。请仔细审查漏洞的详细信息,并根据您组织的风险承受能力采取缓解措施。最好卸载受影响的软件并寻找替代方案。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-68083 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Meks Quick Plugin Disabler WordPress plugin, allowing attackers to perform unauthorized actions.
You are affected if you are using the Meks Quick Plugin Disabler plugin in versions 0.0.0 through 1.0. Upgrade as soon as a patch is available.
Upgrade to the latest version of the plugin as soon as a patch is released by the vendor. Implement CSP and monitor activity logs in the interim.
There are currently no confirmed reports of active exploitation, but the vulnerability remains a potential risk.
Check the official Meks Quick Plugin Disabler website or WordPress plugin repository for updates and advisories related to this vulnerability.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。