CVE-2025-39375

The Easy Child Theme Creator plugin for WordPress versions up to and including 1.3.1 contains a Cross-Site Request Forgery (CSRF) vulnerability. This security flaw allows an attacker to trick a privileged user into unknowingly executing malicious actions, as the plugin fails to properly validate or enforce anti-CSRF tokens on sensitive requests [1].

Exploitation requires user interaction, such as clicking a malicious link or visiting a crafted page while authenticated. The attacker does not need special privileges but must convince a higher-privileged user (e.g., administrator) to perform an action. This attack vector is commonly used in mass-exploit campaigns targeting multiple websites [1].

Successful exploitation enables an attacker to perform unauthorized actions under the victim's authentication, such as modifying settings or creating malicious child themes. The CVSS score of 4.3 (Medium) reflects the requirement for user interaction and the potential impact on integrity [1].

As of the publication date, the vendor has not released a patched version. Users are strongly advised to update the plugin once a fix becomes available or to disable it until then. Immediate action is recommended due to the risk of mass exploitation [1].