CVE-2025-62148

The Robots.txt rewrite WordPress plugin versions from n/a through 1.6.1 suffer from a Cross-Site Request Forgery (CSRF) vulnerability [1]. This flaw means that the plugin does not implement proper CSRF tokens or other validation mechanisms on state-changing requests, allowing a malicious actor to forge requests on behalf of a logged-in administrator without their consent.

Exploitation

Exploitation requires user interaction: an authenticated administrator must be tricked into clicking a malicious link, visiting a crafted page, or submitting a specially crafted form while their session is active [1]. No authentication is needed for the attacker, but the target user must have administrative privileges on the WordPress site for the forged request to execute privileged actions.

Impact

A successful CSRF attack can force an administrator to perform unintended actions, such as modifying the plugin's settings or performing actions that the attacker specifies [1]. This could lead to unauthorized changes to the site's robots.txt configuration, potentially impacting search engine indexing or other site behavior.

Mitigation

The vulnerability affects all versions up to and including 1.6.1. The immediate recommended action is to update the plugin to a patched version if available [1]. For sites where immediate updating is not possible, administrators should be cautious of unsolicited links and consider temporary workarounds, such as disabling the plugin until a fix is applied [1].