CVE-2025-62101

Vulnerability

Overview

The Pardakht Delkhah WordPress plugin, developed by Omid Shamloo, contains a Cross-Site Request Forgery (CSRF) vulnerability affecting versions from n/a through version 3.0.0 [1]. This flaw arises from insufficient validation of request origins, enabling an attacker to trick authenticated users into performing unintended actions without their consent [1].

Exploitation

Requirements

Exploitation requires user interaction: a privileged users must click a malicious link, visit a crafted page, or submit a specially designed form while authenticated to the WordPress site [1]. The attacker does not need direct access to the site but can initiate the attack remotely by luring a logged-in administrator or other high-privilege user into performing the forged request [1].

Impact

Successful exploitation could allow a malicious actor to force higher-privileged users to execute unwanted actions under their current authentication session, such as changing settings, creating new admin accounts, or modifying plugin configurations [1]. This type of vulnerability is commonly used in mass-exploit campaigns targeting thousands of websites regardless of their size or popularity [1].

Mitigation

The vendor has not released a patched version beyond 3.0.0, and users are advised to update the plugin immediately if a fix becomes available. As an interim measure, site administrators should contact their hosting provider or web developer for assistance [1].