CVE-2025-24720

What the vulnerability is

The Sticky Buttons plugin for WordPress, versions up to and including 4.1.1, contains a Cross-Site Request Forgery (CSRF) vulnerability. This flaw allows an unauthenticated attacker to forge requests that a logged-in administrator might unknowingly execute [1]. The root cause is the lack of proper CSRF token validation in settings-related actions.

## How it's exploited Exploitation requires user interaction: an administrator must be tricked into clicking a malicious link, visiting a crafted page, or submitting a form while authenticated [1]. No additional privileges are needed from the attacker beyond the ability to craft a malicious web page or link.

Impact

A successful CSRF attack can force the administrator to perform unwanted actions, such as changing plugin settings under their current authentication [1]. This could alter button configurations, potentially defacing the site, hiding elements, or enabling further attacks.

Mitigation

The vulnerability has been addressed in version 4.1.2 [1]. Users are strongly advised to update immediately. For those unable to update, consulting a hosting provider is recommended. The plugin's maintainer has classified this as low severity, but proactive patching is crucial to prevent exploitation in mass campaigns [1].