CVE-2025-52769

A Cross-Site Request Forgery (CSRF) vulnerability exists in the flexostudio flexo-social-gallery plugin for WordPress, affecting version 1.0006 and earlier [1]. The plugin fails to validate or verify the origin of requests made to its administrative or state-changing endpoints, allowing an attacker to craft requests that appear legitimate to the server.

Exploitation requires user interaction: a logged-in, higher-privileged user (such as an administrator) must click a malicious link, visit a crafted page, or submit a specially prepared form [1]. This can be achieved through social engineering or by embedding the request in a page viewed by the victim. No authentication is required for the attacker beyond the victim's existing session.

Successful exploitation could force the victim's browser to execute unwanted actions under the victim's current authentication, such as modifying plugin settings, uploading content, or performing other administrative tasks without the user's consent [1]. This type of vulnerability is frequently leveraged in mass-exploit campaigns targeting thousands of websites simultaneously [1].

The plugin version 1.0006 is the last affected version. Users are strongly advised to update the plugin to the latest available version, or if no patch exists, to disable the plugin and seek assistance from their hosting provider or a web developer [1]. No workaround details are provided, and the vulnerability has a CVSS v3 score of 4.3 (Medium).