CVE-2025-58801

A Cross-Site Request Forgery (CSRF) vulnerability exists in the KCS Responder plugin for WordPress, affecting versions from n/a through 4.3.8. The plugin fails to validate or tokenize requests on certain endpoints, allowing an attacker to craft malicious requests that appear legitimate to an authenticated user's browser. This is a classic CSRF flaw rooted in missing anti-forgery protections [1].

To exploit this vulnerability, an attacker must trick a privileged user — such as an administrator or editor — into clicking a malicious link, visiting a crafted page, or submitting a specially prepared form. No direct authentication is needed for the attacker, but the victim must be logged into the WordPress site. The attack is typically delivered via phishing or social engineering, and requires user interaction from the victim [1].

Successful exploitation enables the attacker to force the higher-privileged user to execute unwanted actions under their current authenticated session. For example, an attacker could change plugin settings, create or delete administrative accounts, or modify site content, depending on the victim's permissions. The CVSS score of 5.4 reflects the medium severity, noting that while exploitation requires user interaction, the impact on confidentiality, integrity, and availability can be noticeable [1].

The vulnerability has been addressed in version 4.4.0 of the Responder plugin. Users are strongly advised to update to this version or later immediately. For Patchstack users, enabling auto-updates for vulnerable plugins is a recommended mitigation. As a temporary workaround, users should avoid clicking links from untrusted sources while logged into the WordPress admin panel [1].