CVE-2025-64262

Vulnerability

Overview

The Auto Prune Posts plugin for WordPress, versions up to and including 3.0.0, contains a Cross-Site Request Forgery (CSRF) vulnerability [1]. This flaw arises from insufficient validation of requests, allowing an attacker to trick a logged-in administrator into performing user into executing unintended actions without their consent [1].

Exploitation

Details

Exploitation requires user interaction: a privileged user must click a malicious link, visit a crafted page, or submit a form [1]. The attacker does not need authentication but relies on the victim's active session. The vulnerability can be initiated by any role, but successful exploitation depends on the victim having higher privileges [1].

Impact

A successful CSRF attack could force the attacker to force the victim to perform unwanted actions under their current authentication, such as modifying plugin settings or deleting posts [1]. This could lead to unauthorized changes within the WordPress site.

Mitigation

The vulnerability is patched in version 3.1.0 of the plugin [1]. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins [1]. If unable to update, contacting a web developer or hosting provider should be consulted for assistance [1].