CVE-2025-47684

Vulnerability

Overview

CVE-2025-47684 is a Cross-Site Request Forgery (CSRF) vulnerability in the Smaily for WP plugin for WordPress, affecting versions from n/a through 3.1.7. The flaw exists because the plugin does not properly validate or enforce anti-CSRF tokens on sensitive actions, allowing an attacker to craft malicious requests that can be executed by an authenticated administrator.

Exploitation

Details

Exploitation requires user interaction: a privileged user (such as an administrator) must be tricked into clicking a malicious link, visiting a crafted page, or submitting a form while logged into the WordPress admin panel. No authentication is needed for the attacker, but the victim must have an active session with sufficient privileges. This type of vulnerability is commonly used in mass-exploit campaigns targeting thousands of sites simultaneously [1].

Impact

Successful exploitation allows an attacker to force the victim to perform unintended actions under their current authentication, such as changing plugin settings, adding or deleting users, or modifying site content. The CVSS v3 base score is 5.4 (Medium), reflecting the need for user interaction and the potential for significant but limited impact.

Mitigation

The vendor has not released a specific patch version, but users are strongly advised to update the Smaily for WP plugin to the latest available version as soon as possible. If updating is not immediately feasible, site administrators should implement additional security measures such as using a web application firewall or restricting access to the plugin's settings pages [1].