CVE-2025-12578

The Reuters Direct plugin for WordPress, in all versions up to and including 3.0.0, is vulnerable to Cross-Site Request Forgery (CSRF). The vulnerability exists because the 'class-reuters-direct-settings.php' page lacks proper nonce validation, making it possible for an attacker to craft a malicious request that resets the plugin's settings when a site administrator unknowingly triggers it. [1]

To exploit this vulnerability, an unauthenticated attacker must trick a logged-in administrator into performing an action, such as clicking on a crafted link. No authentication is required from the attacker, but the victim must have administrative privileges on the WordPress site. The attack can be delivered via email, social media, or other means of directing the admin to the malicious link. [1]

Successful exploitation allows the attacker to reset the plugin's settings without authorization. This could disrupt the functionality of the plugin or revert configurations, potentially affecting content display or other site features dependent on the plugin. The impact is limited to settings reset and does not include direct data compromise or privilege escalation. [1]

As of November 25, 2025, the plugin has been closed and is no longer available for download due to this security issue. Users are advised to remove the plugin from their WordPress installations and seek alternative solutions. No patch is available as the plugin has been discontinued. [1]