CVE-2025-46462

The WPVN Username Changer WordPress plugin, up to and including version 0.7.8, contains a Cross-Site Request Forgery (CSRF) vulnerability. This flaw exists due to missing or insufficient nonce validation on certain plugin requests, allowing attackers to craft malicious links or forms that, when clicked by an authenticated administrator, can trigger unwanted actions without the admin's consent [1].

Exploitation does not require any special privileges for the attacker, but relies on social engineering to trick a logged-in administrator into interacting with a crafted request. For example, the admin may be lured to click a malicious link or submit a form on a third-party site while authenticated to the WordPress dashboard. As noted in the advisory, this kind of vulnerability is frequently abused in mass-exploit campaigns targeting thousands of sites regardless of their size or popularity [1].

Successful exploitation could allow an attacker to force the administrator to perform unintended actions under their current session, such as changing account settings or other configuration changes the plugin provides. The CVSS v3 base score of 4.3 (Medium) reflects the requirement for user interaction and the need for an authenticated session [1].

The recommended mitigation is to update the plugin to a patched version, if available. Since the affected version is 0.7.8 and earlier, users should check for updates immediately. If updating is not possible, contacting the hosting provider or a web developer for assistance is advised [1].