CVE-2025-47551

Vulnerability

Overview

The Wiki Embed plugin for WordPress (versions up to and including 1.4.6) contains a Cross-Site Request Forgery (CSRF) vulnerability [1]. This flaw allows an attacker to perform unauthorized actions on behalf of a logged-in administrator, specifically to modify plugin settings without the victim's consent.

Exploitation

Details

Exploitation requires user interaction: a privileged user must click a crafted link, visit a malicious page, or submit a form while authenticated to the WordPress admin panel [1]. The attacker does not need any prior authentication but relies on the victim's active session. This type of attack is commonly used in mass-exploit campaigns targeting multiple websites simultaneously.

Impact

Successful exploitation enables an attacker to change the plugin's configuration settings [1]. While the CVSS score (4.3, Medium) indicates limited direct impact, altered settings could be leveraged for further attacks, such as injecting malicious content or redirecting users to external sites.

Mitigation

The vulnerability is patched in version 1.4.7 of the Wiki Embed plugin [1]. Users are strongly advised to update immediately. For those unable to update, consulting a hosting provider or web developer is recommended. Patchstack users can enable auto-updates for vulnerable plugins to streamline protection.