CVE-2025-62113

Vulnerability

Overview

The Co-marquage service-public.fr WordPress plugin versions up to and including 0.5.77 contain a Cross-Site Request Forgery (CSRF) vulnerability [1]. This flaw arises because the plugin fails to implement proper CSRF tokens or other validation mechanisms on sensitive actions, allowing an attacker to craft malicious requests that appear legitimate to the server.

Exploitation

Prerequisites

Exploitation requires user interaction: a privileged user (such as an administrator) must be tricked into clicking a malicious link, visit a crafted page, or submit a specially designed form while authenticated to the WordPress site [1]. The attacker does not need direct access to the site but can deliver the payload via email, social engineering, or other means.

Impact

Successful CSRF attack can force the victim to perform unintended actions under their current session, such as changing plugin settings, modifying content, or creating new administrative users [1]. This could lead to partial loss of integrity and availability, depending on the privileges of the targeted user.

Mitigation

The vendor has not released a patched version at the time of publication; users are advised to update the plugin as soon as a fix becomes available [1]. As an immediate workaround, administrators should avoid clicking suspicious links while logged into the WordPress admin panel and consider using additional security plugins that add CSRF protections.