CVE-2025-58792

Root

Cause The WPKube Authors List plugin for WordPress versions up to and including 2.0.6.2 contains a Cross-Site Request Forgery (CSRF) vulnerability. The plugin fails to validate or include a nonce token in certain requests, making it possible for an attacker to trick an authenticated administrator into performing unintended actions. [1]

Attack

Vector To exploit this CSRF flaw, an attacker must craft a malicious link or form and persuade a logged-in user with elevated privileges (such as an admin) to click it or submit it while their session is active. No authentication is required on the attacker's side, but the victim must have a valid session in the WordPress admin panel. The attack is typically delivered via social engineering, such as embedding the malicious request in an email or a third-party site. [1]

Impact

Successful exploitation allows the attacker to force the victim's browser to send forged requests to the affected site, potentially altering plugin settings, adding or deleting author entries, or performing other configuration changes within the context of the victim's session. The CVSS v3 base score is 4.3 (Medium), indicating the need for user interaction and that the attack does not directly lead to data breach but can disrupt site administration. [1]

Mitigation

The vulnerability affects all versions up to 2.0.6.2. The vendor has released a patch in version 2.0.6.3 or later. Users should immediately update the plugin to the latest available version. If an update is not possible, site administrators should restrict administrative privileges and remain vigilant against phishing attempts. This CVE is not currently listed on CISA's Known Exploited Vulnerabilities catalog. [1]