CVE-2025-62102

Vulnerability

Overview The DoFollow Case by Case WordPress plugin (versions up to and including 3.5.1) is vulnerable to Cross-Site Request Forgery (CSRF). This vulnerability arises from missing or insufficient CSRF token validation in the plugin's admin functionality, enabling unauthorized commands to be submitted on behalf of an authenticated administrator [1].

Exploitation

Prerequisites Exploitation requires a privileged user (e.g., administrator) to perform an action such as clicking a malicious link or visiting a crafted page while authenticated to the WordPress site. The attacker must trick the user into initiating the request, but no additional authentication or network access is needed beyond standard web interaction [1].

Impact

A successful CSRF attack can force the targeted user to execute unintended actions under their current privileges, such as changing plugin settings or other administrative operations. Because the compromised user has elevated access, the attacker may achieve modifications without direct authentication [1].

Mitigation

The vendor has addressed this vulnerability in version 3.6.0 of the plugin. Users are advised to update to 3.6.0 or later to remediate the issue. Patchstack users can enable auto-updates for vulnerable plugins. The vulnerability is rated with a medium severity (CVSS 4.3) and is considered low risk for exploitation, though it may be used in mass campaigns against unpatched sites [1].