CVE-2025-58865

Vulnerability

Overview A Cross-Site Request Forgery (CSRF) vulnerability exists in the Compact Admin plugin for WordPress, affecting versions 1.3.3 and earlier. The plugin fails to implement proper nonce validation on certain actions, allowing an attacker to craft malicious requests that are executed under the authentication of a privileged user [1].

Attack

Vector Exploitation requires a privileged user to perform an action such as clicking a malicious link, visiting a crafted page, or submitting a form. An unauthenticated attacker can craft a request (e.g., to change settings) and trick a logged-in administrator into submitting it. No direct authentication is needed for the attacker, but user interaction is required [1].

Impact

Successful exploitation could allow an attacker to force higher-privileged users to execute unwanted actions under their current session, potentially leading to unauthorized changes in plugin settings or other administrative actions. The CVSS score is 4.3 (Medium) [1].

Mitigation

The vendor has not released a patch as of the publication date. Users are advised to update the plugin if a new version becomes available, or seek assistance from their hosting provider or web developer. This vulnerability is known to be used in mass-exploit campaigns [1].