MEDIUMCVE-2025-12578CVSS 4.3

Reuters Direct <= 3.0.0 - 跨站请求伪造可重置设置

Q: What is CVE-2025-12578 — CSRF in Reuters Direct WordPress Plugin?

CVE-2025-12578 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Reuters Direct WordPress plugin versions 0.0.0–3.0.0, allowing attackers to modify plugin settings via forged requests.

Q: Am I affected by CVE-2025-12578 in Reuters Direct WordPress Plugin?

If you are using the Reuters Direct WordPress plugin in versions 0.0.0 through 3.0.0, you are potentially affected by this vulnerability. Upgrade immediately.

Q: How do I fix CVE-2025-12578 in Reuters Direct WordPress Plugin?

Upgrade to a patched version of the Reuters Direct plugin as soon as it becomes available. Until then, restrict access to the settings page and consider using a WAF.

Q: Is CVE-2025-12578 being actively exploited?

As of now, there are no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.

Q: Where can I find the official Reuters Direct advisory for CVE-2025-12578?

Refer to the plugin developer's website or WordPress plugin repository for updates and official advisories regarding CVE-2025-12578.

平台

wordpress

组件

reuters-direct

修复版本

3.0.1

AI Confidence: highNVDEPSS 0.0%已审阅: 2026年5月

在NVD查看

保存

正在翻译为您的语言…

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Reuters Direct plugin for WordPress. This flaw, affecting versions from 0.0.0 through 3.0.0, stems from inadequate nonce validation on the 'class-reuters-direct-settings.php' page. Successful exploitation allows an attacker to manipulate plugin settings by tricking a site administrator into performing actions via a crafted link.

WordPress

检测此 CVE 是否影响你的项目

上传你的依赖文件，立即了解此CVE和其他CVE是否影响你。

免费扫描

影响与攻击场景翻译中…

The primary impact of this CSRF vulnerability is the potential for unauthorized modification of the Reuters Direct plugin's settings. An attacker could leverage this to alter configurations, potentially impacting the plugin's functionality or introducing malicious behavior. While the plugin itself may not directly expose sensitive data, changes to its settings could indirectly affect the broader WordPress site's security posture. The attack requires the administrator to click a malicious link, making social engineering a key component of exploitation. This vulnerability is similar to other CSRF flaws where an attacker can perform actions on behalf of an authenticated user without their knowledge.

利用背景翻译中…

This vulnerability was publicly disclosed on 2025-11-27. There are currently no known public proof-of-concept exploits available. The EPSS score is pending evaluation. It is not currently listed on the CISA KEV catalog.

哪些人处于风险中翻译中…

WordPress sites utilizing the Reuters Direct plugin, particularly those with site administrators who are susceptible to social engineering attacks, are at risk. Shared hosting environments where multiple WordPress sites share the same server resources could also be affected, as a compromise on one site could potentially impact others.

检测步骤翻译中…

• wordpress / composer / npm:

grep -r 'class-reuters-direct-settings.php' /var/www/html/wp-content/plugins/

• wordpress / composer / npm:

wp plugin list | grep reuters-direct

• wordpress / composer / npm:

curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=reuters_direct_settings_save&nonce=malicious_nonce | head -n 1

攻击时间线

2025-11-27Disclosure
disclosure

威胁情报

漏洞利用状态

概念验证未知

CISA KEVNO

互联网暴露高

EPSS

0.02% (4% 百分位)

CISA SSVC

利用情况none

可自动化no

技术影响partial

CVSS 向量

这些指标意味着什么？

Attack Vector: 网络 — 可通过互联网远程利用，无需物理或本地访问。攻击面最大。
Attack Complexity: 低 — 无需特殊条件，可以稳定地利用漏洞。
Privileges Required: 无 — 无需认证，无需凭证即可利用。
User Interaction: 需要 — 受害者必须打开文件、点击链接或访问特制页面。
Scope: 未改变 — 影响仅限于脆弱组件本身。
Confidentiality: 无 — 无机密性影响。
Integrity: 低 — 攻击者可修改部分数据，影响有限。
Availability: 无 — 无可用性影响。

受影响的软件

组件reuters-direct

供应商wordfence

影响范围修复版本

0 – 3.0.03.0.1

弱点分类 (CWE)

CWE-352

时间线

已保留2025-10-31
发布日期2025-11-27
修改日期2026-04-08
EPSS 更新日期2026-03-23

未修复 — 披露已178天

缓解措施和替代方案翻译中…

The recommended mitigation is to immediately upgrade the Reuters Direct plugin to a version that addresses this vulnerability. The vendor has not yet released a fixed version, so temporary workarounds include restricting access to the 'class-reuters-direct-settings.php' page using WordPress access control plugins. Implement a Web Application Firewall (WAF) with CSRF protection rules to filter out malicious requests. Regularly review WordPress user permissions to ensure only authorized personnel have access to plugin settings.

修复方法

没有已知的补丁可用。请深入审查漏洞的详细信息，并根据您组织的风险承受能力采取缓解措施。最好卸载受影响的软件并寻找替代方案。

CVE 安全通讯

漏洞分析和关键警报直接发送到您的邮箱。

常见问题翻译中…

What is CVE-2025-12578 — CSRF in Reuters Direct WordPress Plugin?

CVE-2025-12578 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Reuters Direct WordPress plugin versions 0.0.0–3.0.0, allowing attackers to modify plugin settings via forged requests.

Am I affected by CVE-2025-12578 in Reuters Direct WordPress Plugin?

If you are using the Reuters Direct WordPress plugin in versions 0.0.0 through 3.0.0, you are potentially affected by this vulnerability. Upgrade immediately.

How do I fix CVE-2025-12578 in Reuters Direct WordPress Plugin?

Upgrade to a patched version of the Reuters Direct plugin as soon as it becomes available. Until then, restrict access to the settings page and consider using a WAF.

Is CVE-2025-12578 being actively exploited?

As of now, there are no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.

Where can I find the official Reuters Direct advisory for CVE-2025-12578?

Refer to the plugin developer's website or WordPress plugin repository for updates and official advisories regarding CVE-2025-12578.

你的项目受影响吗?

上传你的依赖文件，立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE