CVE-2025-8103

Vulnerability

Overview

The WPeMatico RSS Feed Fetcher plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 2.8.7. The root cause is the missing nonce validation in the handle_feedback_submission() function [1]. Nonces are tokens that WordPress uses to verify that requests come from legitimate users; their absence means the plugin cannot distinguish between a genuine administrative action and a forged request.

Exploitation

Method

An unauthenticated attacker can exploit this vulnerability by crafting a malicious link or form that targets the plugin’s deactivation endpoint. The attacker must trick a logged-in site administrator into clicking the link or submitting the form — for example, via a phishing email or a hidden iframe on another site. Since the request carries the administrator’s session cookies but lacks a valid nonce, the plugin processes the action as if it were legitimate.

The attack requires user interaction (the administrator must perform an action), which limits the severity, but no additional authentication is needed beyond tricking an already authenticated administrator.

Impact

If successfully exploited, the attacker can deactivate the WPeMatico plugin without authorization. This halts all automated content imports, campaign schedules, and related functionality until an administrator manually reactivates the plugin. While deactivation does not lead to data loss or remote code execution, it disrupts a core site feature and could be used to cause denial of service or prepare for further attacks by disabling a security-related plugin.

Mitigation

Status

The vendor addressed this vulnerability in version 2.8.8, released on July 24, 2025, which “fixes a CSRF vulnerability in the deactivation feedback system with stronger validation” [2]. Users are strongly advised to update to version 2.8.8 or later. No workarounds are documented; updating is the recommended action.