CVE-2025-27340

Vulnerability

Overview CVE-2025-27340 is a Cross-Site Request Forgery (CSRF) vulnerability in the F12-Profiler plugin for WordPress, affecting all versions up to and including 1.3.9 [1]. The plugin fails to implement proper CSRF tokens or validation mechanisms on state-changing requests, allowing attackers to forge requests on behalf of authenticated users.

Exploitation

To exploit this vulnerability, an attacker must trick a privileged user (such as an administrator) into performing an action like clicking a malicious link or visiting a crafted web page [1]. No direct network access is required, but the victim must be logged into the WordPress site. The attacker can craft requests that, when triggered, perform actions under the victim's authentication.

Impact

Successful exploitation allows an attacker to force the victim to execute unwanted actions within the plugin, such as modifying settings, deleting profiles, or other unauthorized operations [1]. The CVSS score of 5.4 reflects a medium severity, and while user interaction is required, the potential for abuse in mass-exploit campaigns is noted by Patchstack.

Mitigation

The vulnerability is patched in version 1.4.0 of the plugin. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for the plugin to ensure protection [1]. If unable to update, consider disabling the plugin or implementing additional CSRF protections.