CVE-2025-48363

The Popup for CF7 with Sweet Alert plugin for WordPress fails to implement proper Cross-Site Request Forgery (CSRF) protections. This means that requests to perform sensitive actions within the plugin are not validated against a unique token, making it possible for an attacker to forge requests on behalf of an authenticated administrator [1].

To exploit this vulnerability, an attacker must trick a logged-in user with sufficient privileges (such as an administrator) into clicking a malicious link or visiting a crafted page. The attacker does not need any authentication themselves, but the victim must perform an action like clicking a link or submitting a form. This user interaction is required for the attack to succeed [1].

If exploited, an attacker can force the victim's browser to execute unwanted actions under the victim's current session. This could include changing plugin settings, deleting data, or performing other administrative tasks without the victim's consent. The vulnerability is noted to be used in mass-exploit campaigns targeting thousands of websites [1].

As a mitigation, users should update the plugin to version 1.6.6 or later, which contains the fix. If updating is not immediately possible, it is recommended to contact the hosting provider or a web developer for assistance. No workaround is currently available [1].