CVE-2025-13408
CSRF in Foxtool WordPress Plugin Enables OAuth Account Takeover
Publication date: 2025-12-12
Last updated on: 2025-12-12
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| foxtool | all-in-one | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) issue in the Foxtool All-in-One WordPress plugin (up to version 2.5.2). It occurs because the plugin's foxtool_login_google() function lacks proper nonce validation, allowing unauthenticated attackers to trick a site administrator into performing actions like establishing an OAuth connection via a forged request.
How can this vulnerability impact me? :
An attacker can exploit this vulnerability to make an administrator unknowingly establish an OAuth connection, potentially allowing unauthorized access or actions within the site. This could lead to limited integrity issues but does not directly impact confidentiality or availability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the Foxtool All-in-One plugin to a version later than 2.5.2 where the nonce validation issue in the foxtool_login_google() function is fixed. Additionally, avoid clicking on suspicious links and ensure site administrators are aware of the risk of Cross-Site Request Forgery attacks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect the CVE-2025-13408 vulnerability on your system, you should check the version of the Foxtool All-in-One WordPress plugin installed. Versions up to and including 2.5.2 are vulnerable. Ensure the plugin is updated to version 2.5.3 or later, which includes nonce-based CSRF protection. You can detect the vulnerable plugin version by running the following WP-CLI command in your WordPress installation directory: `wp plugin list --format=json | jq '.[] | select(.name=="foxtool") | {name,version}'`. Alternatively, check the plugin version in the WordPress admin dashboard under Plugins. There are no specific network commands to detect forged OAuth requests directly, but monitoring for unusual OAuth login attempts or unexpected Google OAuth connections could help. Also, reviewing web server logs for suspicious requests to the OAuth login endpoint related to foxtool_login_google may assist in detection. [1, 3]