CVE-2025-60115

Vulnerability

Overview

The Instapage WordPress plugin (versions up to 3.7.0) is vulnerable to Cross-Site Request Forgery (CSRF). This type of vulnerability occurs when the plugin fails to properly validate nonces or implement anti-CSRF tokens, allowing an attacker to craft requests that appear to come from an authenticated user [1].

Exploitation

Prerequisites

Exploitation requires an authenticated user with higher privileges (such as an administrator) to be tricked into clicking a malicious link, visiting a crafted page, or submitting a form. The attacker does not need authentication but relies on the victim's active session to execute unauthorized actions [1].

Impact

A successful CSRF attack can force the victim to perform unintended actions under their current authentication, such as changing plugin settings, deactivating the plugin, or other administrative actions. This vulnerability is noted to be used in mass-exploit campaigns targeting thousands of websites [1].

Mitigation

The issue is patched in version 3.7.1. Users are advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. The CVSS score is 4.3 (Medium), and while exploitation is unlikely, immediate action is recommended [1].