CVE-2025-9893
BaseFortify
Publication date: 2025-09-27
Last updated on: 2025-09-29
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | wordpress | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the VM Menu Reorder plugin for WordPress is a Cross-Site Request Forgery (CSRF) issue affecting all versions up to and including 1.0.0. It occurs because the plugin's vm_set_to_default function lacks proper nonce validation, allowing an attacker to trick a site administrator into performing an unwanted action, such as resetting all menu reordering settings via a forged request.
How can this vulnerability impact me? :
This vulnerability can allow an unauthenticated attacker to reset all menu reordering settings on a WordPress site if they can trick an administrator into clicking a malicious link. While it does not directly compromise data confidentiality or availability, it can disrupt the site's menu configuration and cause inconvenience or potential misconfiguration.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the VM Menu Reorder plugin to a version later than 1.0.0 where the nonce validation issue is fixed. Until an update is available, restrict access to the plugin's functionality to trusted administrators only and educate site administrators to avoid clicking on suspicious links that could trigger the CSRF attack.