CVE-2025-68083

The Meks Quick Plugin Disabler plugin for WordPress, versions up to and including 1.0, contains a Cross-Site Request Forgery (CSRF) vulnerability. This flaw arises because the plugin fails to implement proper CSRF tokens or other validation mechanisms on state-changing requests, such as those that disable plugins. As a result, an attacker can craft a malicious link or form that, when clicked by an authenticated administrator, will execute unwanted actions under the victim's session [1].

Exploitation requires user interaction: a privileged user (e.g., an administrator) must be tricked into clicking a crafted link, visiting a specially prepared page, or submitting a malicious form while logged into the WordPress admin panel. No additional authentication is needed beyond the victim's existing session. The attack can be initiated remotely, and the attacker does not need any prior access to the site [1].

Successful exploitation allows an attacker to force the victim to disable arbitrary plugins on the WordPress site. This could disrupt site functionality, remove security plugins, or pave the way for further compromise. The CVSS v3 base score is 5.4 (Medium), reflecting the need for user interaction and the potential for significant impact on site availability and integrity [1].

As of the publication date, the vulnerability affects all versions up to 1.0. Users are strongly advised to update the plugin to a patched version if available. If an update is not possible, site administrators should consider disabling the plugin or implementing additional CSRF protections, such as using a Web Application Firewall (WAF) or custom code. This vulnerability is known exploitation campaigns have been observed targeting this type of vulnerability [1].