CVE-2025-62891

Vulnerability

Overview

CVE-2025-62891 is a Cross-Site Request Forgery (CSRF) vulnerability in the Off-Canvas Sidebars & Menus (Slidebars) plugin for WordPress, affecting versions from n/a through 0.5.8.5. The issue arises because the plugin does not properly validate or enforce anti-CSRF tokens on certain requests, allowing an attacker to craft malicious links or forms that, when clicked or submitted by a privileged user, perform unintended actions on the victim's behalf [1].

Exploitation

Prerequisites

Exploitation requires user interaction: a privileged user (such as an administrator) must be tricked into clicking a malicious link, visiting a crafted page, or submitting a specially crafted form while authenticated to the WordPress site. No additional privileges are needed for the attacker beyond the ability to deliver the crafted request to the victim [1].

Impact

Successful exploitation could allow an attacker to force the victim to perform unwanted actions under their current authentication, such as changing plugin settings, modifying sidebars, or other administrative operations. The CVSS v3 base score is 4.3 (Medium), reflecting the need for user interaction and the limited scope of actions that can be forced [1].

Mitigation

The vulnerability has been addressed in version 0.5.9 of the plugin. Users are strongly advised to update to this version or later. Patchstack users can enable auto-updates for vulnerable plugins. While the severity is considered low and exploitation is unlikely, updating is the recommended course of action [1].