CVE-2025-48265

Vulnerability

Overview The Year Make Model Search for WooCommerce plugin (ymm-search) by Pektsekye contains a Cross-Site Request Forgery (CSRF) vulnerability affecting versions up to and including 1.0.11. This flaw arises because the plugin does not properly validate or sanitize requests when modifying settings, allowing an attacker to trick an authenticated administrator into unknowingly executing unwanted actions. [1]

Exploitation

Prerequisites Exploitation requires a privileged user—such as an administrator—to be tricked into clicking a malicious link, visiting a crafted page, or submitting a specially crafted form while logged into the WordPress admin panel. The attacker does not need direct access to the target site, only the ability to deliver the forged request to the victim. [1]

Impact

If successfully exploited, this CSRF vulnerability could allow an attacker to change plugin settings without the victim's consent. While the CVSS score (4.3, Medium) indicates a lower severity, the flaw could be leveraged in mass-exploit campaigns targeting thousands of websites simultaneously, particularly because the vulnerability affects a widely used plugin. [1]

Mitigation and

Status The plugin vendor has released version 1.0.12, which resolves the CSRF issue. Users are strongly advised to update immediately to this patched version. Patchstack users can enable auto-updates for vulnerable plugins. If an update is not possible, consulting a hosting provider or developer for alternative mitigation is recommended. The vulnerability is listed in the Patchstack database with details on the fix. [1]