CVE-2025-60113

Vulnerability

Description A Cross-Site Request Forgery (CSRF) vulnerability exists in the WordPress Groovy Menu plugin (groovy-menu-free) up to version 1.4.3. The flaw occurs due to insufficient protection against forged requests, enabling attackers to trick authenticated users into performing actions they did not intend [1].

Exploitation

Attackers can exploit this vulnerability by crafting malicious links, pages, or forms that, when interacted with by a privileged user (e.g., admin), trigger unwanted actions under the victim's current authentication. The attack requires user interaction, such as clicking a link or submitting a form, but no special privileges aside from social engineering [1].

Impact

Successful exploitation allows an attacker to force higher-privileged users to execute actions on the WordPress site, such as modifying settings, creating new admin accounts, or injecting malicious content. This could lead to full site compromise if chained with other vulnerabilities [1].

Mitigation

The vendor has released updates to address this issue. Users are strongly advised to update the plugin to the latest version. If updating is not immediately possible, users should consult their hosting provider or a web developer for assistance. This vulnerability is known to be targeted in mass exploitation campaigns, making timely patching critical [1].