CVE-2025-0801 is a medium-severity Cross-Site Request Forgery (CSRF) vulnerability identified in the RateMyAgent Official plugin for WordPress, affecting all versions up to and including 1.4.0. The vulnerability stems from missing or incorrect nonce validation on the 'rma-settings-wizard' functionality, which is responsible for managing plugin settings including the API key. Nonce validation is a security mechanism designed to ensure that requests originate from legitimate users and not from malicious third-party sites. Due to the absence or improper implementation of this validation, an attacker can craft a malicious web request that, when an authenticated site administrator visits or clicks a specially crafted link, causes the administrator’s browser to unknowingly submit a request that updates the plugin’s API key. This attack does not require the attacker to be authenticated on the target site but does require user interaction from an administrator, making it a classic CSRF scenario. The impact primarily affects the integrity of the plugin’s configuration, as unauthorized API key changes could disrupt plugin functionality, potentially leading to data misrouting or loss of control over plugin features. The CVSS 3.1 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:R), unchanged scope (S:U), no confidentiality or availability impact (C:N/A:N), and low integrity impact (I:L). No public exploits have been reported yet, but the vulnerability is published and should be addressed promptly. The lack of a patch link suggests that a fix may not yet be available, emphasizing the need for interim mitigations.

The primary impact of this vulnerability is on the integrity of the RateMyAgent plugin’s configuration, specifically the API key used for its operations. Unauthorized modification of the API key could lead to loss of control over plugin data exchanges, potentially allowing attackers to redirect or disrupt data flows between the WordPress site and RateMyAgent services. While this does not directly compromise site confidentiality or availability, it undermines trust in the plugin’s functionality and could indirectly affect business operations relying on accurate agent ratings and reviews. Organizations using this plugin risk unauthorized configuration changes that could lead to service disruption or data integrity issues. Since exploitation requires an administrator to interact with a malicious link, social engineering is a key factor, increasing the risk in environments where administrators may be targeted. The vulnerability affects all sites running the vulnerable plugin versions, which could be widespread given WordPress’s popularity. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits after public disclosure.

Organizations should immediately verify if they are running RateMyAgent Official plugin versions up to 1.4.0 and plan to update to a patched version once available. Until a patch is released, administrators should be educated about the risk of clicking untrusted links, especially those that could trigger plugin settings changes. Implementing web application firewall (WAF) rules to detect and block suspicious POST requests targeting the 'rma-settings-wizard' endpoint can help mitigate exploitation attempts. Additionally, site owners can manually add nonce verification checks in the plugin code if feasible or disable the plugin temporarily if it is not critical. Monitoring administrative activity logs for unexpected changes to plugin settings or API keys can provide early detection of exploitation attempts. Enforcing multi-factor authentication (MFA) for administrator accounts reduces the risk of account compromise that could facilitate exploitation. Finally, maintaining regular backups of site configurations ensures recovery capability if unauthorized changes occur.