CVE-2025-60137

Vulnerability

Overview

The Post Featured Video plugin for WordPress, up to and including version 1.7, contains a Cross-Site Request Forgery (CSRF) vulnerability. This issue arises from missing or insufficient CSRF protection mechanisms, allowing an attacker to forge requests that can be executed by a legitimate administrator or other privileged user without their knowledge. [1]

Exploitation

Details

To exploit this vulnerability, an attacker must trick a logged-in user with sufficient privileges (e.g., an admin) into clicking a malicious link, visiting a crafted page, or submitting a fraudulent form. No authentication is required beyond the victim's session; the attack relies on the victim's active session to perform unauthorized actions. The required user interaction is a key factor, but the attack can be automated by sending phishing emails or embedding malicious content on other sites. [1]

Impact

Successful CSRF exploitation enables the attacker to force the victim's browser to perform actions under their current authentication. This could include changing plugin settings, adding or modifying featured videos, or other configuration changes, potentially leading to further compromise or site defacement. As noted in the advisory, such vulnerabilities are frequently used in mass-exploit campaigns targeting thousands of WordPress sites. [1]

Mitigation

The plugin vendor has not yet released a patch (as of the advisory date). Immediate action requires updating the plugin once a fixed version becomes available. If that is not possible, users should ensure strong defensive measures such as nonce checking and referrer validation are implemented on the server side, or consider replacing the plugin. [1]