CVE-2025-49896

The WP Discord Post Plus plugin for WordPress (versions through 1.0.2) contains a Cross-Site Request Forgery (CSRF) vulnerability [1]. This flaw stems from insufficient validation of HTTP requests, enabling attackers to craft malicious links or forms that, when triggered by an authenticated administrator, can perform unauthorized actions on the target site.

Exploitation requires user interaction: a privileged user must click a malicious link or submit a crafted form while logged into the WordPress admin [1]. No authentication is needed for the attacker, but the victim must possess sufficient privileges (e.g., admin) for the attack to succeed. The CSRF token validation is missing, allowing the forged request to be accepted as genuine.

Successful exploitation could allow an attacker to alter plugin settings, publish posts, or execute other actions under the victim's identity without their consent [1]. This could lead to unauthorized content changes or privilege escalation, depending on the victim's role.

As a mitigation, users should immediately update the plugin to a version beyond 1.0.2 [1]. If an update is not available, temporary deactivation or implementing additional CSRF protections (e.g., via a web application firewall) is advised.