CVE-2025-47447

Vulnerability

Overview The Cool Author Box WordPress plugin (versions ≤3.0.0) is vulnerable to Cross-Site Request Forgery (CSRF). The issue arises from missing or insufficient CSRF protection mechanisms, such as nonce validation, in the plugin's administrative functions. This allows an attacker to trick a logged-in administrator into performing unintended actions without their knowledge [1].

Exploitation

Exploitation requires user interaction: a privileged user (e.g., administrator) must click a malicious link, visit a crafted page, or submit a form while authenticated. No special network position is needed; the attacker can deliver the exploit via email, social engineering, or other means. The vulnerability does not require authentication from the attacker, only targeting an already-authenticated admin [1].

Impact

Successful exploitation enables an attacker to force the victim to execute actions under their current session, such as modifying plugin settings, creating new admin accounts, or performing other operations that could lead to site compromise. The CVSS v3 score is 4.3 (Medium), reflecting the requirement for user interaction and the potential for limited impact [1].

Mitigation

The vulnerability has been patched in version 3.0.1 of the Cool Author Box plugin. Users are strongly advised to update to this version immediately. If immediate update is not possible, consider disabling the plugin or implementing additional security measures such as Web Application Firewall rules to mitigate CSRF attacks [1].