CVE-2025-58675

Vulnerability: Cross-Site Request Forgery (CSRF) in the Interact: Embed A Quiz On Your Site plugin for WordPress (versions up to and including 3.1). The root cause is a missing or insufficient CSRF token validation, which allows an attacker to craft malicious requests that are executed by an authenticated administrator without their consent [1].

Exploitation

To exploit this vulnerability, an attacker must trick a logged-in administrator into clicking a malicious link, visiting a crafted page, or submitting a specially crafted form. No other authentication is required beyond the victim's existing session. The attack is initiated remotely, and user interaction is required [1].

Impact

Successful exploitation could allow an attacker to perform unwanted actions under the victim's current authentication, such as changing plugin settings, deleting quizzes, or other administrative actions. The CVSS score of 4.3 (Medium) reflects the need for user interaction and the limited direct impact on data confidentiality or integrity [1].

Mitigation

The vulnerability has been addressed in version 3.2 of the plugin. Users are strongly advised to update to version 3.2 or later immediately. Patchstack users can enable auto-updates for vulnerable plugins. As this vulnerability is part of mass-exploit campaigns, prompt updating is critical [1].