CVE-2025-47594

Vulnerability

Overview The Soccer Live Scores plugin for WordPress (versions through 1.0.5) contains a Cross-Site Request Forgery (CSRF) vulnerability [1]. This flaw arises because the plugin does not properly validate or verify the origin of requests, allowing a malicious actor to craft requests that appear legitimate to a logged-in administrator or other privileged user.

Exploitation

Details To exploit this vulnerability, an attacker must trick a privileged user—such as an administrator—into performing an action like clicking a malicious link or visiting a crafted page [1]. No authentication is required on the attacker's side, but the targeted user must be authenticated and have sufficient privileges to perform the unwanted action. The CSRF attack does not require any special network position, as it can be delivered via email links, social media, or other web-based vectors.

Impact

If successfully exploited, an attacker could force the privileged user to execute actions within the plugin's settings or functionality without their consent [1]. This could include modifying scores, changing configuration options, or other administrator-level operations. The CVSS v3 base score of 4.3 (Medium) reflects the need for user interaction and the limited scope of impact, but the vulnerability is considered serious enough to be included in mass-exploit campaigns.

Mitigation

The plugin developer has not released a patched version beyond 1.0.5, so immediate action is recommended: update the plugin to the latest available version or remove it if no update is provided [1]. If updating is not possible, users should restrict access to the plugin's admin pages and educate privileged users about the risks of clicking untrusted links. The advisory from Patchstack emphasizes that this vulnerability is actively used in campaigns targeting thousands of websites [1].