CVE-2025-66064

The Giveaways and Contests by RafflePress plugin for WordPress versions 1.12.20 and earlier contain a Cross-Site Request Forgery (CSRF) vulnerability. This flaw stems from insufficient validation of request origins, allowing an attacker to craft a malicious request that appears legitimate to the application. [1]

Exploitation requires no special privileges beyond the attacker’s ability to trick a logged-in administrator into performing an action, such as clicking a link or submitting a form. The attack can be initiated remotely via social engineering, and no authentication is needed from the attacker. However, the targeted user must have a valid session in the WordPress admin area. [1]

If successfully exploited, the attacker can force the administrator to perform unauthorized actions on their behalf, such as changing plugin settings or modifying giveaway configurations. This could lead to further compromise of the affected site. The CVSS score is 4.3 (Medium), indicating a moderate severity with a low likelihood of exploitation in typical deployments. [1]

Update to version 1.12.21 or later to patch the vulnerability. Users of Patchstack can enable auto-updates for the affected plugin. No workarounds have been provided beyond updating. [1]