CVE-2025-47590

A Cross-Site Request Forgery (CSRF) vulnerability exists in the WPSpeed plugin for WordPress, affecting all versions up to and including 2.6.5 [1]. The flaw stems from insufficient CSRF protections, enabling attackers to craft malicious requests that appear legitimate to the server. When a privileged user interacts with a crafted link or page, the attacker can force the execution of unintended actions under the victim's authentication [1].

Exploitation requires user interaction—a logged-in administrator or other privileged user must click a malicious link or visit a specially crafted page. This threat is leveraged in mass-exploit campaigns targeting thousands of websites, regardless of their traffic or popularity [1]. The attack surface is broad because the plugin lacks proper nonce or token validation for sensitive operations.

If successfully exploited, an attacker could make unauthorized changes to the WordPress site, such as modifying plugin settings, injecting malicious code, or altering user roles, all under the authority of the victim user. The CVSS v3 base score of 4.3 (Medium) reflects the need for user interaction and the partial impact on integrity [1].

The vulnerability has been addressed in version 2.6.6. Users are strongly advised to update immediately; Patchstack users can enable auto-updates for vulnerable plugins. For those unable to update, a hosting provider or web developer should be consulted to apply temporary mitigations [1].