CVE-2025-9883
BaseFortify
Publication date: 2025-09-20
Last updated on: 2025-09-22
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | browser_sniff | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Browser Sniff plugin for WordPress has a Cross-Site Request Forgery (CSRF) vulnerability in all versions up to and including 2.3. This occurs because the plugin lacks proper nonce validation on a function, allowing unauthenticated attackers to update settings and inject malicious web scripts by tricking a site administrator into performing an action like clicking a malicious link.
How can this vulnerability impact me? :
This vulnerability can allow attackers to change plugin settings and inject malicious scripts into the website without authentication, potentially compromising site integrity and security if an administrator is tricked into clicking a malicious link.
What immediate steps should I take to mitigate this vulnerability?
Immediate steps include disabling or uninstalling the Browser Sniff plugin, as it has been closed and made unavailable for download pending a full security review. Avoid using versions up to and including 2.3, and ensure site administrators are cautious about clicking on untrusted links to prevent CSRF attacks. [1]