CVE-2025-47470

The GPT3 AI Content Writer plugin for WordPress (all versions up to and including 1.9.14) contains a Cross-Site Request Forgery (CSRF) vulnerability. The root cause is the lack of proper CSRF token validation on state-changing requests, allowing an attacker to forge requests on behalf of an authenticated administrator or other privileged user. [1]

Exploitation requires user interaction: a privileged user must be tricked into clicking a malicious link, visiting a crafted page, or submitting a form while authenticated to the WordPress site. No additional authentication is needed from the attacker beyond the victim user's existing session. [1]

A successful CSRF attack could force the victim to perform unwanted actions under their current authentication level, such as generating AI content or changing plugin settings. The CVSS score of 4.3 (Medium) reflects the need for user interaction and the limited direct impact but acknowledges potential for abuse in automated campaigns. [1]

The vulnerability has been patched in version 1.9.15. Users are strongly advised to update immediately. The vendor and Patchstack recommend enabling auto-updates for vulnerable plugins to mitigate against mass-exploit attempts. [1]