CVE-2025-13438
Awaiting Analysis Awaiting Analysis - Queue
CSRF Vulnerability in WordPress Page Title Updater Plugin

Publication date: 2026-02-19

Last updated on: 2026-02-19

Assigner: Wordfence

Description
The Page Title, Description & Open Graph Updater plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.02. This is due to missing nonce validation on multiple AJAX actions including dieno_update_page_title. This makes it possible for unauthenticated attackers to update page titles and metadata via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-19
Last Modified
2026-02-19
Generated
2026-06-16
AI Q&A
2026-02-19
EPSS Evaluated
2026-06-14
NVD
CVE-2025-13438
EUVD
EUVD-2025-207862
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
dienodigital page_title_description_open_graph_updater to 1.02 (inc)
wordfence page_title_description_open_graph_updater to 1.02 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'The Page Title, Description & Open Graph Updater plugin for WordPress has a Cross-Site Request Forgery (CSRF) vulnerability in all versions up to and including 1.02. This vulnerability exists because the plugin does not perform nonce validation on several AJAX actions, including the dieno_update_page_title action.'}, {'type': 'paragraph', 'content': "As a result, an attacker who can trick a site administrator into clicking a malicious link can cause unauthorized updates to page titles and metadata without the administrator's explicit consent."}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability allows unauthenticated attackers to modify page titles and metadata on a WordPress site by exploiting the lack of nonce validation in AJAX update actions.'}, {'type': 'list_item', 'content': 'Attackers can change page titles and metadata without authorization.'}, {'type': 'list_item', 'content': "Such unauthorized changes can mislead site visitors or damage the site's reputation."}, {'type': 'list_item', 'content': 'It may also affect SEO and social media sharing due to altered Open Graph metadata.'}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by monitoring for unauthorized AJAX requests targeting the plugin's update actions, especially the 'dieno_update_page_title' action and other similar AJAX endpoints that update page metadata."}, {'type': 'paragraph', 'content': 'Since the vulnerability involves missing nonce validation on AJAX actions, you can look for suspicious HTTP POST requests to the WordPress admin-ajax.php endpoint with parameters indicating these update actions.'}, {'type': 'list_item', 'content': "Use network monitoring tools or web server logs to filter requests containing 'action=dieno_update_page_title' or other 'dieno_update_*' actions."}, {'type': 'list_item', 'content': 'Example command to search web server logs for suspicious AJAX update requests (Linux):'}, {'type': 'list_item', 'content': "grep 'action=dieno_update_page_title' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': 'Use tools like curl to simulate requests and verify if nonce validation is missing, for example:'}, {'type': 'list_item', 'content': "curl -X POST -d 'action=dieno_update_page_title&post_id=1&new_title=Test' https://yourwordpresssite.com/wp-admin/admin-ajax.php"}] [1]

Mitigation Strategies

Immediate mitigation steps include updating the Page Title, Description & Open Graph Updater plugin to a version later than 1.02 where the vulnerability is fixed.

If an update is not available, temporarily disable or deactivate the plugin to prevent exploitation.

Additionally, restrict access to the WordPress admin-ajax.php endpoint or implement web application firewall (WAF) rules to block unauthorized AJAX requests targeting the vulnerable actions.

Educate site administrators to avoid clicking on suspicious links that could trigger forged requests.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13438. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart