CVE-2025-54732

Vulnerability

Overview

A Cross-Site Request Forgery (CSRF) vulnerability exists in the WPDM – Premium Packages plugin for WordPress, affecting versions from n/a through 6.0.2. The issue arises because the plugin does not properly validate or enforce anti-CSRF tokens on sensitive actions, allowing an attacker to craft malicious requests that appear legitimate to the server [1].

Exploitation

Details

Exploitation requires user interaction: a higher-privileged user (such as an administrator) must be tricked into clicking a malicious link, visiting a crafted page, or submitting a specially crafted form while authenticated to the WordPress site. No additional privileges are needed on the attacker's part beyond the ability to deliver the crafted request to the victim [1].

Impact

Successful exploitation enables an attacker to force the victim to perform unintended actions under their current authentication session. This could include changing plugin settings, modifying user roles, or other administrative actions, depending on the capabilities exposed by the plugin [1].

Mitigation

The vulnerability has been addressed in version 6.0.3 of the plugin. Users are strongly advised to update immediately. For those unable to update, consulting a hosting provider or web developer for temporary workarounds is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].