CVE-2025-64256

Vulnerability

Overview The Simple Folio plugin for WordPress, up to version 1.1.0, contains a Cross-Site Request Forgery (CSRF) vulnerability. This flaw allows an attacker to trick authenticated users—such as administrators—into performing unintended actions without their knowledge or consent. The root cause is the lack of proper CSRF protection (nonce validation) on certain sensitive operations within the plugin.

Exploitation

Method Exploitation requires user interaction: a privileged user must be tricked into clicking a malicious link, submitting a crafted form, or visiting a malicious page while authenticated to WordPress. The attacker does not need any special privileges but must craft a request that performs an action the victim is authorized to do. This attack can be performed remotely with low complexity.

Impact

A successful CSRF attack can force the victim to execute unwanted actions under their current session. In the context of WordPress, this could include changing plugin settings, deleting content, or creating unauthorized user accounts. The attacker gains no direct data access but can perform state-changing operations on the target site. The CVSS v3.1 score is 4.3 (Medium), indicating moderate severity.

Mitigation

The vulnerability is patched in version 1.1.1. Users are strongly advised to update to this latest release immediately. For those unable to update, using auto-update features or seeking help from a hosting provider is recommended. The vendor considers this a low-severity issue unlikely to be exploited, but proactive updating remains the best defense [1].