CVE-2025-54039

The Animator plugin for WordPress, known as *scroll-triggered-animations*, contains a Cross-Site Request Forgery (CSRF) vulnerability in versions up to and including 3.0.16 [1]. The root cause is the lack of CSRF protection on sensitive actions, enabling an attacker to forge requests from a privileged user's browser without their consent [1].

Exploitation requires a privileged user—such as an administrator—to be tricked into clicking a malicious link, submitting a crafted form, or visiting a specially designed page while authenticated to the target WordPress site [1]. No authentication is needed for the attacker, but the victim must have an active session with sufficient privileges. This attack vector is commonly used in mass-exploit campaigns targeting thousands of sites simultaneously [1].

Successful exploitation allows an attacker to perform arbitrary actions under the victim's authentication, such as modifying plugin settings, creating new administrator accounts, or injecting malicious content [1]. The CVSS v3 score of 4.3 (Medium) reflects the requirement for user interaction and a privileged victim, but the impact can be severe if the target user has high-level permissions [1].

The vulnerability has been addressed in version 3.0.17 of the Animator plugin [1]. Users are advised to update immediately; if an update is not possible, they should seek assistance from their hosting provider. Patchstack users can enable auto-updates for vulnerable plugins [1].