CVE-2025-10376
BaseFortify
Publication date: 2025-10-11
Last updated on: 2025-10-14
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chandra_bhushan_singh | course_redirects_for_learndash | 0.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) issue in the Course Redirects for Learndash WordPress plugin versions up to 0.4. It occurs because the plugin does not validate nonces when processing form submissions on its settings page. This allows an attacker to trick a site administrator into performing unintended actions, such as changing plugin settings, by making them click on a malicious link.
How can this vulnerability impact me? :
An attacker can exploit this vulnerability to modify the plugin settings without authorization by tricking an administrator into clicking a crafted link. This could lead to unauthorized changes in the website's behavior or configuration, potentially disrupting site functionality or security.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the Course Redirects for Learndash plugin to a version later than 0.4 where nonce validation is properly implemented. Additionally, avoid clicking on suspicious links and ensure that only trusted administrators have access to the plugin settings page to prevent unauthorized changes via forged requests.