CVE-2025-58219

Vulnerability

Overview

A Cross-Site Request Forgery (CSRF) vulnerability exists in the LIJE Show Pages List plugin for WordPress, affecting versions from n/a through 1.2.0. The root cause is the lack of proper CSRF token validation or nonce verification in requests that trigger state-changing actions, enabling attackers to forge requests on behalf of authenticated users [1].

Exploitation

Conditions

Exploitation requires user interaction: a privileged user must be tricked into clicking a malicious link or visiting a crafted page while authenticated to the WordPress admin panel. No authentication is needed for the attacker, but the target user must have sufficient privileges (e.g., administrator or editor) to perform the forged action [1].

Impact

A successful CSRF attack can force the target user to execute unwanted actions under their current authentication session, such as modifying plugin settings, creating or deleting pages, or altering site configurations. This could lead to unauthorized changes and potentially compromise the integrity of the WordPress site [1].

Mitigation

Users are urged to update the plugin to a patched version as soon as possible. As of September 2025, no official patch has been released for versions through 1.2.0. Until a fix is available, administrators should consider temporarily disabling the plugin or implementing additional CSRF protections, such as using a web application firewall (WAF). The vulnerability is noted to be used in mass-exploit campaigns, emphasizing the need for prompt action [1].