CVE-2025-62872

Vulnerability

Overview The Social Photo Fetcher plugin for WordPress (versions up to and including 3.0.4) contains a Cross-Site Request Forgery (CSRF) vulnerability due to missing or insufficient nonce validation. This flaw enables an attacker to trick a logged-in administrator into executing unintended actions without their consent, as the plugin fails to verify the authenticity of requests [1].

Exploitation

Prerequisites Exploitation requires social engineering: the attacker must convince a privileged user—such as an administrator—to click on a crafted link, visit a malicious page, or submit a form while they are authenticated to the WordPress site. No additional privileges are needed from the attacker, and the attack can be initiated remotely without authentication [1].

Impact

If successfully exploited, the attacker can force the victim to perform actions under their current session, such as changing plugin settings, importing malicious data, or deleting photos. This could potentially lead to further compromise of the WordPress installation, especially if combined with other vulnerabilities [1].

Mitigation

The vulnerability has been patched in version 3.0.5 or later. Users are strongly advised to update the plugin immediately. If updating is not possible, consider disabling the plugin or implementing additional security measures such as Web Application Firewall (WAF) rules to block CSRF attempts [1].