CVE-2025-58199

Vulnerability

Overview

Cross-Site Request Forgery (CSRF) vulnerability exists in the Fastly plugin for WordPress versions up to and including 1.2.28. The plugin fails to validate or verify the origin of requests, allowing an attacker to craft malicious requests that are executed by an authenticated administrator without their knowledge [1].

Exploitation

Requirements

Exploitation requires the victim (a privileged user) to be logged into the WordPress admin panel and to perform an action such as clicking a malicious link, visiting a crafted page, or submitting a form. No direct authentication is needed by the attacker, but the victim must have sufficient privileges to execute the desired action [1].

Impact

An attacker can trick a privileged user into performing unauthorized actions, such as changing settings or performing state-altering operations, under the victim's current session. This can lead to configuration changes or other unintended modifications to the site [1].

Mitigation

The vulnerability has been patched in version 1.2.29. Users are strongly advised to update to the latest version. Patchstack users can enable auto-updates for vulnerable plugins. While the CVSS score is 4.3 (Medium), the Patchstack advisory notes that this vulnerability is unlikely to be exploited on a large scale, but updating remains the recommended action [1].