CVE-2025-7835

Vulnerability

Details The iThoughts Advanced Code Editor plugin for WordPress, versions up to and including 1.2.10, is vulnerable to Cross-Site Request Forgery (CSRF). The vulnerability exists in the ithoughts_ace_update_options AJAX action, which lacks proper nonce validation [1]. Nonce validation is a standard security measure in WordPress that ensures requests originate from an authenticated user session, rather than from a third-party attacker. Its absence means that an attacker can forge update requests without knowing the victim's credentials.

Attack

Vector To exploit this vulnerability, an attacker must trick a site administrator into performing an action such as clicking on a link or visiting a crafted page while authenticated to the WordPress admin panel. The attacker does not need any authentication themselves, as the forged request will leverage the administrator's existing session. Given this requirement, exploitation relies on social engineering, but no additional privileges beyond administrator access are needed, and the attack can be carried out remotely.

Impact

A successful CSRF attack allows the attacker to modify plugin settings without the administrator's knowledge or consent [1]. The exact impact depends on which settings can be altered via the vulnerable AJAX action. While this vulnerability is rated Medium (CVSS 4.3), it could enable further configuration changes that affect site functionality or security posture. The plugin has been closed and removed from the WordPress plugin directory as of July 22, 2025, due to this security issue [1].

Mitigation

Status No patched version is available; users of this plugin should immediately uninstall it from their WordPress installations [1]. The plugin is no longer supported, and no security update will be released. Site administrators should verify that the plugin is not present in their environments and ensure that any functionality provided by the plugin is replaced with an actively maintained alternative.