CVE-2025-58831

The Parallax Scrolling Enllax.js WordPress plugin (versions up to and including 0.0.6) contains a Cross-Site Request Forgery (CSRF) vulnerability. The plugin fails to implement proper CSRF tokens or validation on sensitive actions, allowing an attacker to craft malicious requests that appear legitimate to the server [1].

Exploitation requires user interaction: a privileged user (such as an administrator) must be tricked into clicking a malicious link, visiting a crafted page, or submitting a specially designed form while authenticated to the WordPress site. No additional privileges are needed from the attacker beyond the ability to deliver the crafted request [1].

Successful CSRF attacks can force the victim to perform unintended actions under their current session, such as modifying plugin settings, deleting content, or creating new administrative users. This can lead to partial loss of integrity and availability, depending on the actions executed [1].

As an immediate mitigation, users should update the plugin to a patched version if available. If no update exists, administrators should consider disabling the plugin or implementing additional CSRF protections, such as using a Web Application Firewall (WAF) or custom nonce checks. Hosting providers or web developers can assist with these measures [1].