CVE-2025-64239

Vulnerability

Overview The RTL Tester WordPress plugin, versions up to and including 1.2, contains a Cross-Site Request Forgery (CSRF) vulnerability. This flaw stems from missing or insufficient anti-CSRF tokens on sensitive operations, allowing an attacker to trick an authenticated administrator into unknowingly executing unwanted actions [1].

Exploitation

Attack Surface Exploitation requires user interaction — a privileged user must click a malicious link, visit a crafted page, or submit a deceptive form while authenticated to the WordPress admin area. No special privileges on the attacker's part are needed beyond the ability to lure a victim into performing the request. Such CSRF vulnerabilities are commonly leveraged in mass-exploit campaigns targeting thousands of sites [1].

Impact

Upon successful exploitation, an attacker can force the victim's browser to send forged requests to the RTL Tester plugin endpoint, potentially altering plugin settings or performing other actions under the victim's session. The CVSS v3 base score of 4.3 reflects the medium severity and the requirement for user interaction [1].

Mitigation

The vendor has not yet released a patched version for this specific issue. Users are strongly advised to update the plugin as soon as a fix becomes available. As an interim measure, administrators should disable the plugin or apply a Web Application Firewall (WAF) rule to block suspicious requests. Since this vulnerability is publicly disclosed and included in automated attack patterns, immediate action is recommended [1].