CVE-2025-10312
BaseFortify
Publication date: 2025-10-15
Last updated on: 2025-10-16
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | theme_importer | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Restricting access to the Theme Importer plugin by limiting admin users who can access it; 2) Disabling or uninstalling the Theme Importer plugin until a patched version is available; 3) Applying strict input validation and nonce verification in the plugin code to prevent CSRF and arbitrary file downloads; 4) Monitoring and removing any suspicious files or directories created by the plugin; 5) Keeping WordPress and all plugins updated to the latest versions. Since the vulnerability is due to missing nonce validation and lack of input sanitization, patching or disabling the plugin is critical. [2]
Can you explain this vulnerability to me?
CVE-2025-10312 is a vulnerability in the WordPress Theme Importer plugin (up to version 1.0) caused by missing nonce validation in the theme-importer.php file. This lack of validation allows unauthenticated attackers to perform Cross-Site Request Forgery (CSRF) attacks by tricking a site administrator into clicking a malicious link. The plugin downloads and extracts theme ZIP files from user-supplied URLs without proper validation or sanitization, enabling attackers to trigger arbitrary file downloads and potentially execute malicious operations on the site. [2]
How can this vulnerability impact me? :
This vulnerability can allow attackers to perform unauthorized actions by tricking an administrator into clicking a malicious link, leading to arbitrary file downloads and extraction of potentially malicious ZIP archives. This can result in placing malicious files such as PHP backdoors within the WordPress theme directory, potentially leading to remote code execution, site compromise, and loss of control over the affected website. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can involve monitoring for suspicious HTTP POST requests to the theme-importer.php file that include URLs for ZIP file downloads. On the server, you can check for unexpected ZIP file downloads or new theme directories created recently. Commands to help detect this include: 1) Using web server logs to search for POST requests to theme-importer.php, e.g., `grep 'POST .*theme-importer.php' /var/log/apache2/access.log`; 2) Checking for recently modified or created theme directories, e.g., `find /path/to/wordpress/wp-content/themes/ -type d -ctime -7`; 3) Searching for ZIP files downloaded recently, e.g., `find /path/to/wordpress/wp-content/themes/ -name '*.zip' -ctime -7`. [2]