CVE-2025-25146
Description
CSRF vulnerability in Songkick Concerts and Festivals WordPress plugin up to 0.9.7 allows attackers to perform unauthorized actions via crafted requests.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSRF vulnerability in Songkick Concerts and Festivals WordPress plugin up to 0.9.7 allows attackers to perform unauthorized actions via crafted requests.
Vulnerability
Cross-Site Request Forgery (CSRF) vulnerability in the Songkick Concerts and Festivals plugin for WordPress (version 0.9.7 and earlier). The plugin lacks CSRF protection on administrative actions, allowing an attacker to trick an authenticated administrator into executing unintended requests.
Exploitation
An attacker must trick a logged-in administrator into clicking a malicious link or visiting a crafted page while authenticated. No additional privileges or network position required beyond standard web access.
Impact
Successful exploitation enables an attacker to perform unauthorized actions on behalf of the administrator, such as modifying plugin settings or event configurations. This compromises the integrity of the plugin's functionality.
Mitigation
The vulnerability is fixed in version 0.10.1 [1]. Users should update to the latest version. No workarounds are currently available.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=0.9.7+ 1 more
- (no CPE)range: <=0.9.7
- (no CPE)range: <=0.9.7
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.