CVE-2025-10300

Vulnerability

The TopBar plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 1.0.0. The issue lies in the fme_nb_topbar_save_settings() function, which lacks proper nonce validation. This omission makes it possible for an attacker to forge requests that modify plugin settings without the administrator's consent [1].

Exploitation

Exploitation requires tricking a site administrator into performing an action, such as clicking a malicious link or visiting a crafted page while authenticated. As CSRF does not require authentication of the attacker, unauthenticated attackers can trigger the forged request. The attack vector is network-based, and no special privileges are needed beyond the admin's session [1].

Impact

If exploited, an attacker can update the plugin's settings arbitrarily. While the impact is limited to plugin configuration changes, it could lead to defacement, redirection of users, or injection of malicious content depending on the settings available. The vulnerability is rated Medium (CVSS 4.3) due to the need for user interaction [1].

Mitigation

The plugin has been closed as of October 14, 2025 due to this security issue and is no longer available for download. Sites using the plugin should remove it immediately. No patched version exists, as the plugin reached end-of-life with version 1.0.0 [1].