CVE-2025-6055
BaseFortify
Publication date: 2025-06-14
Last updated on: 2025-06-16
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-6055 is a vulnerability in the Zen Sticky Social WordPress plugin (up to version 0.3) where the plugin lacks proper nonce validation on its settings page, allowing Cross-Site Request Forgery (CSRF). This means an attacker can trick a site administrator into performing actions like updating plugin settings via a forged request. Additionally, the plugin does not sanitize or validate the Facebook and Twitter usernames submitted in the admin settings, which are then output directly into the site's footer links without escaping. This combination allows an attacker to inject malicious scripts (Cross-Site Scripting, XSS) into the site if they can manipulate the admin to submit crafted input. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute malicious scripts on the affected WordPress site by injecting them through the plugin's social media username settings. If an administrator is tricked into submitting a forged request, the attacker can update settings to include malicious code that runs in the browsers of site visitors or administrators. This can lead to theft of sensitive information, session hijacking, defacement, or further compromise of the website. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Zen Sticky Social WordPress plugin (version 0.3 or earlier) is installed and active on your site. Specifically, you can inspect the admin settings page for the plugin to see if it accepts POST requests updating Facebook and Twitter usernames without nonce validation. Additionally, you can review the plugin's 'zen-sticky-social.php' file for missing nonce checks and lack of input sanitization. To detect potential exploitation, you can search your WordPress options table for the 'zen_ss_settings' key and examine stored usernames for suspicious or script-injected content. Commands to assist detection include: 1) Using WP-CLI to check plugin version: `wp plugin list --status=active` 2) Querying the database for stored settings: `wp db query "SELECT option_value FROM wp_options WHERE option_name = 'zen_ss_settings';"` 3) Searching plugin files for nonce validation: `grep -r 'wp_nonce' wp-content/plugins/zen-sticky-social/` [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Updating the Zen Sticky Social plugin to a version that fixes the vulnerability if available. 2) If no update is available, temporarily deactivate or uninstall the plugin to prevent exploitation. 3) Restrict admin access to trusted users only to reduce risk of CSRF attacks. 4) Implement manual nonce validation and input sanitization in the plugin's admin settings code to prevent unauthorized POST requests and script injection. 5) Monitor and clean the 'zen_ss_settings' option in the database to remove any malicious input. 6) Educate site administrators to avoid clicking on suspicious links that could trigger CSRF attacks. [1]