CVE-2025-53269

The WordPress plugin My Wp Brand, versions up to and including 1.1.3, is affected by a Cross-Site Request Forgery (CSRF) vulnerability. The issue resides in insufficient request validation, enabling attackers to craft requests that perform unauthorized actions on behalf of an authenticated administrator without their consent [1].

Exploitation requires the attacker to trick a logged-in administrator into performing an action, such as clicking a malicious link or submitting a crafted form. The attacker does not need prior authentication or direct network access to the victim site, but the targeted user must have sufficient privileges, such as admin-level capabilities, for the forged request to have impact [1].

If successfully exploited, this CSRF flaw allows an attacker to force the victim administrator to execute unwanted actions under their current session. Depending on the plugin's functionality, this could lead to unauthorized settings changes or other modifications within the WordPress installation [1].

The vendor has released version 1.1.4 which resolves the vulnerability. Users are strongly advised to update to this version immediately. Patchstack users can enable auto-updates for vulnerable plugins. While the issue is rated with a CVSS score of 4.3 (Medium) and is considered unlikely to be exploited in mass campaigns, CSRF vulnerabilities are frequently targeted due to their simplicity [1].