CVE-2025-58914

Vulnerability

Overview

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Di Themes Demo Site Importer plugin for WordPress, affecting versions up to and including 1.2. The plugin fails to implement proper nonce validation during plugin activation requests, enabling an attacker to perform unauthorized actions on behalf of an authenticated administrator.

Exploitation

To exploit this vulnerability, an attacker crafts a malicious link or webpage that, when clicked by a logged-in administrator, triggers the activation of arbitrary plugins. Exploitation requires user interaction, as the administrator must be tricked into performing the action—such as clicking a link or submitting a form. No special privileges are needed beyond the administrator's session [1].

Impact

Successful exploitation could allow an attacker to force the activation of plugins, potentially including malicious ones. This could lead to further compromise of the WordPress site, such as installation of backdoors or other harmful functionality. The CVSS score of 4.3 (Medium) reflects the reliance on user interaction and the limited scope of actions that can be coerced [1].

Mitigation

As of the publication date, no official patch has been released by the vendor. Users are strongly advised to update the plugin immediately if a fix becomes available. In the absence of a patch, consider removing the plugin or restricting access to its functionality. Administrators should also exercise caution when clicking links or interacting with untrusted content [1].