CVE-2025-3867

Vulnerability

Overview

The Ajax Comment Form CST plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 1.2. The issue stems from missing or incorrect nonce validation on the 'acform_cst_settings' page, which is used to update plugin settings. This allows an attacker to craft a malicious request that, when executed by a logged-in administrator, performs unauthorized actions.

Exploitation

Details

An unauthenticated attacker can exploit this vulnerability by tricking an administrator into clicking a link or visiting a page that triggers a forged request. No authentication is required for the attacker, but the victim must have administrator privileges. The attack can be performed remotely without any special network position.

Impact

Successful exploitation enables the attacker to modify plugin settings and inject malicious web scripts (stored XSS) into the site. This could lead to further compromise, such as theft of sensitive data or full site takeover, depending on the injected scripts.

Mitigation

The plugin has been closed as of April 24, 2025, and is no longer available for download due to this security issue [1]. Users are strongly advised to remove the plugin from their WordPress installations and seek alternative solutions.