CVE-2025-13408
Unknown Unknown - Not Provided
CSRF in Foxtool WordPress Plugin Enables OAuth Account Takeover

Publication date: 2025-12-12

Last updated on: 2025-12-12

Assigner: Wordfence

Description
The Foxtool All-in-One: Contact chat button, Custom login, Media optimize images plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2. This is due to missing or incorrect nonce validation on the foxtool_login_google() function. This makes it possible for unauthenticated attackers to establish an OAuth Connection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-12
Last Modified
2025-12-12
Generated
2026-06-16
AI Q&A
2025-12-12
EPSS Evaluated
2026-06-14
NVD
CVE-2025-13408
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
foxtool all-in-one *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Cross-Site Request Forgery (CSRF) issue in the Foxtool All-in-One WordPress plugin (up to version 2.5.2). It occurs because the plugin's foxtool_login_google() function lacks proper nonce validation, allowing unauthenticated attackers to trick a site administrator into performing actions like establishing an OAuth connection via a forged request.

Mitigation Strategies

To mitigate this vulnerability, update the Foxtool All-in-One plugin to a version later than 2.5.2 where the nonce validation issue in the foxtool_login_google() function is fixed. Additionally, avoid clicking on suspicious links and ensure site administrators are aware of the risk of Cross-Site Request Forgery attacks.

Impact Analysis

An attacker can exploit this vulnerability to make an administrator unknowingly establish an OAuth connection, potentially allowing unauthorized access or actions within the site. This could lead to limited integrity issues but does not directly impact confidentiality or availability.

Detection Guidance

To detect the CVE-2025-13408 vulnerability on your system, you should check the version of the Foxtool All-in-One WordPress plugin installed. Versions up to and including 2.5.2 are vulnerable. Ensure the plugin is updated to version 2.5.3 or later, which includes nonce-based CSRF protection. You can detect the vulnerable plugin version by running the following WP-CLI command in your WordPress installation directory: `wp plugin list --format=json | jq '.[] | select(.name=="foxtool") | {name,version}'`. Alternatively, check the plugin version in the WordPress admin dashboard under Plugins. There are no specific network commands to detect forged OAuth requests directly, but monitoring for unusual OAuth login attempts or unexpected Google OAuth connections could help. Also, reviewing web server logs for suspicious requests to the OAuth login endpoint related to foxtool_login_google may assist in detection. [1, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13408. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart