CVE-2025-13438
CSRF Vulnerability in WordPress Page Title Updater Plugin
Publication date: 2026-02-19
Last updated on: 2026-02-19
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dienodigital | page_title_description_open_graph_updater | to 1.02 (inc) |
| wordfence | page_title_description_open_graph_updater | to 1.02 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'The Page Title, Description & Open Graph Updater plugin for WordPress has a Cross-Site Request Forgery (CSRF) vulnerability in all versions up to and including 1.02. This vulnerability exists because the plugin does not perform nonce validation on several AJAX actions, including the dieno_update_page_title action.'}, {'type': 'paragraph', 'content': "As a result, an attacker who can trick a site administrator into clicking a malicious link can cause unauthorized updates to page titles and metadata without the administrator's explicit consent."}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability allows unauthenticated attackers to modify page titles and metadata on a WordPress site by exploiting the lack of nonce validation in AJAX update actions.'}, {'type': 'list_item', 'content': 'Attackers can change page titles and metadata without authorization.'}, {'type': 'list_item', 'content': "Such unauthorized changes can mislead site visitors or damage the site's reputation."}, {'type': 'list_item', 'content': 'It may also affect SEO and social media sharing due to altered Open Graph metadata.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by monitoring for unauthorized AJAX requests targeting the plugin's update actions, especially the 'dieno_update_page_title' action and other similar AJAX endpoints that update page metadata."}, {'type': 'paragraph', 'content': 'Since the vulnerability involves missing nonce validation on AJAX actions, you can look for suspicious HTTP POST requests to the WordPress admin-ajax.php endpoint with parameters indicating these update actions.'}, {'type': 'list_item', 'content': "Use network monitoring tools or web server logs to filter requests containing 'action=dieno_update_page_title' or other 'dieno_update_*' actions."}, {'type': 'list_item', 'content': 'Example command to search web server logs for suspicious AJAX update requests (Linux):'}, {'type': 'list_item', 'content': "grep 'action=dieno_update_page_title' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': 'Use tools like curl to simulate requests and verify if nonce validation is missing, for example:'}, {'type': 'list_item', 'content': "curl -X POST -d 'action=dieno_update_page_title&post_id=1&new_title=Test' https://yourwordpresssite.com/wp-admin/admin-ajax.php"}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Page Title, Description & Open Graph Updater plugin to a version later than 1.02 where the vulnerability is fixed.
If an update is not available, temporarily disable or deactivate the plugin to prevent exploitation.
Additionally, restrict access to the WordPress admin-ajax.php endpoint or implement web application firewall (WAF) rules to block unauthorized AJAX requests targeting the vulnerable actions.
Educate site administrators to avoid clicking on suspicious links that could trigger forged requests.