CVE-2025-12069
BaseFortify
Publication date: 2025-11-04
Last updated on: 2025-11-04
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | wp_global_screen_options | 0.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) issue in the WP Global Screen Options plugin for WordPress, affecting all versions up to and including 0.2. It occurs because the plugin's updatewpglobalscreenoptions action handler lacks nonce validation, allowing an attacker to trick an administrator into performing an unwanted action, such as clicking a malicious link, which then modifies global screen options for all users.
How can this vulnerability impact me? :
An attacker can exploit this vulnerability to change global screen options for all users by tricking an administrator into executing a forged request. While it does not allow direct data theft or system compromise, it can lead to unauthorized changes in the user interface or settings, potentially disrupting normal operations or causing confusion among users.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update or remove the WP Global Screen Options plugin if it is at version 0.2 or earlier. Additionally, ensure that administrators are cautious about clicking on untrusted links to avoid being tricked into performing actions that could exploit this vulnerability.