CVE-2025-12188
BaseFortify
Publication date: 2025-11-04
Last updated on: 2025-11-04
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_masters | posts_navigation_links | 1.0.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) issue in the Posts Navigation Links for Sections and Headings β Free by WP Masters WordPress plugin, affecting all versions up to 1.0.1. It occurs because the plugin's settings page ('wpm_navigation_links_settings') lacks proper nonce validation, allowing an attacker to trick a site administrator into performing unwanted actions, such as changing plugin settings, without their consent.
How can this vulnerability impact me? :
An attacker can exploit this vulnerability to modify the plugin's settings by tricking an administrator into clicking a malicious link. Although it does not allow direct data theft or site takeover, unauthorized changes to plugin settings could disrupt site functionality or security configurations.