CVE-2025-67473

Vulnerability

Description

A Cross-Site Request Forgery (CSRF) vulnerability exists in the codeworkweb CWW Companion WordPress plugin (cww-companion) versions from n/a through 1.3.2. This flaw allows an attacker to trick a privileged user into unknowingly performing actions on the attacker's behalf, due to the plugin failing to validate or enforce a unique token for sensitive requests [1].

Exploitation

Conditions

Exploitation requires user interaction: a logged-in administrator or other privileged user must be induced to click a malicious link, visit a crafted page, or submit a form. No additional privileges are required for the attacker beyond the ability to create a crafted request and deliver it to the victim [1].

Impact

If successfully exploited, this CSRF vulnerability could enable a malicious actor to execute unwanted actions under the victim's current authentication session, such as changing plugin settings, adding malicious users, or modifying site content. The CVSS v3 base score is 4.3 (Medium), reflecting the need for user interaction but the potential to affect core site operations [1].

Mitigation and

Status

The vendor has released version 1.3.3 of the plugin, which patches the CSRF vulnerability. Users are strongly advised to update to version 1.3.3 or later. If auto-updates are enabled, Patchstack users will receive the fix automatically. No workarounds have been provided, but immediate update is recommended to prevent mass-exploit scenarios [1].