The vulnerability identified as CVE-2025-0796 affects the Mortgage Lead Capture System plugin for WordPress, developed by kevin-brent. This plugin is widely used to capture mortgage leads via WordPress websites. The issue is a Cross-Site Request Forgery (CSRF) vulnerability categorized under CWE-352, which occurs because the plugin fails to properly validate nonces on the 'wprequal_reset_defaults' action. Nonces are security tokens used to verify that requests originate from legitimate users and not from malicious third parties. Due to this missing or incorrect nonce validation, an attacker can craft a malicious request that, when executed by an authenticated site administrator (e.g., by clicking a link), resets the plugin’s settings without the administrator’s consent. This attack does not require the attacker to be authenticated themselves, only that they trick an admin user into performing the action. The impact is limited to integrity, as attackers can alter plugin configuration but cannot directly access or disrupt data confidentiality or availability. The CVSS v3.1 base score is 4.3, reflecting low complexity and no privileges required, but user interaction is necessary. No known exploits have been reported in the wild, and no official patches have been released as of the publication date. The vulnerability affects all plugin versions up to and including 8.2.10. Organizations using this plugin should prioritize mitigation to prevent unauthorized configuration changes that could lead to further exploitation or operational issues.

The primary impact of this vulnerability is the unauthorized modification of the Mortgage Lead Capture System plugin’s settings, which compromises the integrity of the plugin’s configuration. While this does not directly expose sensitive data or cause denial of service, altered settings could disrupt lead capture functionality, degrade user experience, or potentially open avenues for further attacks if the plugin’s altered state weakens other security controls. For organizations relying on this plugin to generate mortgage leads, such disruptions could result in lost business opportunities and reputational damage. Since exploitation requires tricking an administrator into clicking a malicious link, the attack vector is social engineering combined with CSRF. The vulnerability’s medium severity reflects its limited scope but non-negligible risk, especially for high-traffic WordPress sites in the real estate and mortgage sectors. The absence of known exploits reduces immediate risk, but the vulnerability remains a concern until patched. Organizations globally that use WordPress and this plugin are at risk, particularly those with administrative users who may be targeted via phishing or other social engineering tactics.

1. Immediately restrict administrative access to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of compromised admin accounts. 2. Educate all WordPress administrators about the risks of phishing and social engineering attacks, emphasizing caution when clicking links from untrusted sources. 3. Implement web application firewalls (WAFs) with rules to detect and block suspicious CSRF attempts targeting the 'wprequal_reset_defaults' action. 4. Monitor WordPress logs and plugin settings for unexpected changes, enabling rapid detection and response to unauthorized resets. 5. Until an official patch is released, consider temporarily disabling or removing the Mortgage Lead Capture System plugin if feasible, or restrict its usage to environments with minimal exposure. 6. Follow the vendor’s updates closely and apply patches promptly once available. 7. Review and harden nonce validation and CSRF protections in custom or third-party WordPress plugins as a best practice to prevent similar vulnerabilities.