CVE-2025-60145

Vulnerability

Overview

The Lenix scss compiler plugin for WordPress (versions up to and including 1.2) contains a Cross-Site Request Forgery (CSRF) vulnerability. This flaw arises because the plugin does not properly validate or require a nonce or other anti-CSRF token when processing state-changing requests. As a result, an attacker can craft a malicious link or form that, when clicked or submitted by an authenticated administrator, triggers unintended actions on the victim's site [1].

Exploitation

Prerequisites

Exploitation requires user interaction: a privileged user (such as an administrator) must be tricked into clicking a malicious link, visiting a crafted page, or submitting a specially designed form while authenticated to the WordPress admin panel. No additional authentication is needed for the attacker beyond the ability to deliver the crafted request to the victim. The attack can be performed remotely without any special network position [1].

Impact

Successful exploitation allows an attacker to force the victim to perform actions under their current session, such as modifying plugin settings, deleting data, or performing other administrative tasks without the victim's consent. This could lead to partial loss of integrity and availability of the affected site, depending on the actions executed [1].

Mitigation

The vulnerability affects all versions of the Lenix scss compiler plugin from n/a through 1.2. Users are strongly advised to update the plugin to a patched version as soon as it becomes available. If an update is not possible, consider disabling the plugin or implementing additional security measures such as Web Application Firewall (WAF) rules to block CSRF attacks. The vendor has been notified and a fix is expected [1].