CVE-2025-62107

Vulnerability

Overview

The Feather Login Page WordPress plugin, versions n/a through 1.1.7, contains a Cross-Site Request Forgery (CSRF) vulnerability [1]. This flaw allows an attacker to trick a higher-privileged user (such as an administrator) into executing unwanted actions under their current authentication session [1].

Exploitation detail

CSRF vulnerabilities require user interaction — the victim must click a malicious link, visit a crafted page, or submit a specially prepared form. No direct authentication is needed on the attacker's part; instead, the attack leverages the already-authenticated session of the targeted privileged user [1].

Impact

Successful exploitation could enable an attacker to force the victim to perform actions such as changing settings, creating new admin accounts, or modifying plugin configurations, depending on the privileges of the targeted user. This means an attacker could potentially gain administrative control over the WordPress site [1].

Mitigation

The vulnerability is fixed by a patch. Users should immediately update the Feather Login Page plugin to the latest version. If updating is not immediately possible, temporary workarounds such as disabling the plugin or using a web application firewall (WAF) may help until the update can be applied [1].