CVE-2025-9374
BaseFortify
Publication date: 2025-08-29
Last updated on: 2025-08-29
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| briancolinger | ultimate_tag_warrior_importer | 0.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Ultimate Tag Warrior Importer WordPress plugin is a Cross-Site Request Forgery (CSRF) issue affecting all versions up to 0.2. It occurs because the plugin lacks proper nonce validation on a function, allowing unauthenticated attackers to trick a site administrator into performing unintended actions, such as importing tags, by clicking on a malicious link.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to cause a site administrator to unknowingly import tags into the WordPress site, potentially altering site content or behavior without authorization. While it does not directly compromise confidentiality or availability, it can lead to unauthorized changes and possible site misuse.
What immediate steps should I take to mitigate this vulnerability?
The Ultimate Tag Warrior Importer plugin has been closed and removed from download as of August 27, 2025, pending a full security review. Immediate mitigation steps include uninstalling or disabling the Ultimate Tag Warrior Importer plugin if it is installed on your WordPress site to prevent exploitation of the CSRF vulnerability. [1]