CVE-2025-8383

Vulnerability

Overview

The Depicter WordPress plugin, versions 4.0.4 and earlier, contains a Cross-Site Request Forgery (CSRF) vulnerability in the depicter-document-rules-store AJAX function. The root cause is missing or incorrect nonce validation on this endpoint, which processes POST requests to update document display rules [1]. This allows an attacker to force a logged-in administrator or editor to unknowingly modify rules without their consent.

Exploitation

Method

An unauthenticated attacker can craft a malicious HTML page that, when visited by a logged-in WordPress user with sufficient privileges, automatically submits a forged POST request to the vulnerable endpoint. The attack requires no authentication from the attacker and relies on social engineering to trick the victim into clicking a link or visiting the attacker's page [1]. The AJAX action depicter-document-rules-store is executed without proper CSRF token verification.

Impact

Successful exploitation allows the attacker to modify document display rules, including injecting attacker-controlled HTML into rule titles or content. This could lead to unauthorized content changes, defacement, or further attacks if the injected HTML is rendered in an administrative context [1]. The vulnerability does not directly allow code execution but can be used to alter how sliders, popups, and content blocks are displayed across the site.

Mitigation

The vendor has not released a patched version as of the publication date. Users are advised to apply the principle of least privilege, ensure administrators are cautious clicking behavior, and consider using a Web Application Firewall (WAF) to block forged requests. The vulnerability has a CVSS v3 score of 4.3 (Medium) and a public proof-of-concept exists [1].