CVE-2025-9630
BaseFortify
Publication date: 2025-10-03
Last updated on: 2025-10-06
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| grafica_real | wp_sinotype | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) in the WP SinoType plugin for WordPress, affecting all versions up to and including 1.0. It occurs because the plugin's sinotype_config function lacks proper nonce validation, allowing an attacker to trick a site administrator into performing unintended actions, such as modifying typography settings, via a forged request.
How can this vulnerability impact me? :
An attacker can exploit this vulnerability to modify typography settings on a WordPress site without authentication by tricking an administrator into clicking a malicious link. While it does not affect confidentiality or availability, it can lead to unauthorized changes in the site's appearance or configuration.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update or remove the WP SinoType plugin if it is version 1.0 or earlier. Additionally, ensure that nonce validation is correctly implemented on the sinotype_config function to prevent unauthorized requests. Educate site administrators to avoid clicking on suspicious links that could trigger forged requests.