CVE-2025-10588
BaseFortify
Publication date: 2025-10-22
Last updated on: 2025-12-18
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pixelyoursite | plugin | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) issue in the PixelYourSite WordPress plugin (versions up to 11.1.2). It occurs because the plugin's adminEnableGdprAjax() function lacks proper nonce validation, allowing an attacker to trick a site administrator into performing unintended actions, such as modifying GDPR settings, via a forged request. [1]
How can this vulnerability impact me? :
An attacker could exploit this vulnerability to change your site's GDPR settings without your consent by tricking an administrator into clicking a malicious link. This could lead to unauthorized modifications in how your site handles user data privacy settings. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
Because this vulnerability allows unauthorized modification of GDPR settings, it could lead to non-compliance with GDPR requirements by altering privacy controls improperly. This may result in mishandling of personal data and potential regulatory violations. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves missing or incorrect nonce validation on the adminEnableGdprAjax() function, allowing Cross-Site Request Forgery (CSRF) attacks. To detect exploitation attempts on your system, you can monitor HTTP requests targeting the AJAX action 'pys_enable_gdpr_ajax' without a valid '_wpnonce' parameter. For example, you can use network monitoring tools or web server logs to filter requests containing 'action=pys_enable_gdpr_ajax' and check for missing or invalid nonce values. A sample command using grep on Apache logs might be: grep 'action=pys_enable_gdpr_ajax' /var/log/apache2/access.log. Additionally, inspecting POST requests to admin-ajax.php for this action and verifying nonce presence can help detect attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the PixelYourSite plugin to version 11.1.3 or later, where nonce verification for GDPR-related AJAX requests has been added to prevent CSRF attacks. Applying this update will ensure proper nonce validation on the adminEnableGdprAjax() function, blocking unauthorized modification of GDPR settings. Until the update is applied, restrict administrative access and educate administrators to avoid clicking suspicious links that could trigger forged requests. [1]