CVE-2025-47614

The LessButtons Social Sharing and Statistics plugin for WordPress (versions <= 1.6.1) contains a Cross-Site Request Forgery (CSRF) vulnerability. The plugin fails to validate or verify the origin of requests when processing settings changes, allowing a malicious actor to craft a request that modifies plugin configuration on behalf of an authenticated administrator [1].

Exploitation requires user interaction: a privileged user must be tricked into clicking a malicious link, visiting a crafted page, or submitting a form while authenticated to the WordPress admin. No other authentication or network access is needed beyond the victim user's session [1].

Successful exploitation could allow an attacker to change plugin settings without authorization. While the impact is limited to configuration changes, such CSRF flaws are often chained with other vulnerabilities or used in mass-exploit campaigns targeting thousands of WordPress sites [1].

The vendor has not released a patch; however, users are advised to update the plugin to a fixed version if available, or contact their hosting provider for assistance as an immediate mitigation. This vulnerability is not yet listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [1].