CVE-2025-3099
Description
The Advanced Search by My Solr Server plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.5. This is due to missing or incorrect nonce validation on the 'MySolrServerSettings' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSRF in Advanced Search by My Solr Server plugin (≤2.0.5) allows unauthenticated attackers to update settings and inject scripts.
Vulnerability
Overview The Advanced Search by My Solr Server plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 2.0.5. The root cause is missing or incorrect nonce validation on the 'MySolrServerSettings' page. This flaw allows an unauthenticated attacker to craft a malicious request that, when executed by an authenticated site administrator, can modify plugin settings and inject arbitrary web scripts [1].
Exploitation
Conditions Exploitation requires tricking a site administrator into performing an action such as clicking a crafted link while they are authenticated to the WordPress admin area. No other authentication or prior access is needed by the attacker. The attack surface is the settings page, which lacks CSRF protection [1].
Impact
Successful exploitation enables an attacker to alter the Solr server configurations and inject malicious scripts, potentially leading to stored XSS or other administrative actions performed without proper authorization. The injected scripts could compromise the administrative interface and affect site visitors.
Mitigation
The vendor has closed the plugin as of April 1, 2025 due to a security issue, and it is no longer available for download from the WordPress plugin directory [1]. Users running versions up to 2.0.5 should immediately remove or replace the plugin, as no patch is provided.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- plugins.trac.wordpress.org/browser/advanced-search-by-my-solr-server/tags/2.0.5/advanced-search-by-my-solr-server-options-page.phpnvd
- plugins.trac.wordpress.org/browser/advanced-search-by-my-solr-server/tags/2.0.5/advanced-search-by-my-solr-server.inc.phpnvd
- plugins.trac.wordpress.org/browser/advanced-search-by-my-solr-server/tags/2.0.5/advanced-search-by-my-solr-server.phpnvd
- wordpress.org/plugins/advanced-search-by-my-solr-server/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/250d1bea-793d-4c13-976b-bfc3ff7d9160nvd
News mentions
0No linked articles in our index yet.