CVE-2025-53268

Vulnerability

Overview

CVE-2025-53267 is a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress Import external attachments plugin, developed by ryanpcmcquen. The plugin fails to implement proper CSRF protection for its administrative actions, allowing an attacker to craft malicious requests that are executed by unsuspecting authenticated users [1].

Exploitation

Prerequisites

To exploit this vulnerability, an attacker must trick a user with sufficient privileges (e.g., an admin) into clicking a crafted link or visiting a malicious page. No prior authentication is needed from the attacker; the attack relies on the victim's active session in WordPress [1].

Impact

Successful exploitation enables the attacker to perform actions on the victim's behalf, such as importing external attachments. This could lead to the injection of untrusted content or the manipulation of site data, potentially compromising the integrity of the WordPress installation [1].

Mitigation

The vulnerability affects all versions of the plugin up to and including 1.5.12. Users are strongly advised to update the plugin to the latest available version. If an update is not feasible, immediate consultation with a hosting provider or web developer is recommended. This vulnerability is known to be targeted in mass-exploit campaigns [1].