CVE-2025-0990 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the I Am Gloria plugin for WordPress, affecting all versions up to and including 1.1.4. The root cause is the absence or incorrect implementation of nonce validation in the iamgloria23_gloria_settings_page function, which is responsible for handling certain plugin settings, including the tenant ID. Nonces in WordPress are security tokens designed to verify that requests originate from legitimate users and prevent unauthorized actions. Without proper nonce checks, an attacker can craft a malicious request that, when executed by an authenticated administrator (e.g., by clicking a specially crafted link), causes the plugin to reset the tenant ID. This unauthorized change compromises the integrity of the plugin’s configuration. The vulnerability does not allow for direct data disclosure or denial of service but can lead to unauthorized configuration changes that may affect plugin behavior or multi-tenant setups. The CVSS 3.1 score of 4.3 reflects that the attack vector is network-based, requires no privileges, but does require user interaction (an administrator clicking a link). The scope remains unchanged as the vulnerability affects only the plugin’s internal settings. No known public exploits have been reported yet, but the vulnerability is publicly disclosed and should be addressed promptly. The absence of a patch link suggests that users should monitor vendor updates or apply manual mitigations.

The primary impact of this vulnerability is on the integrity of the affected WordPress sites using the I Am Gloria plugin. An attacker can cause unauthorized changes to the tenant ID, potentially disrupting multi-tenant configurations or causing misrouting of data or functionality within the plugin. While it does not directly expose sensitive data or cause denial of service, unauthorized configuration changes can lead to operational issues, misconfigurations, or indirect security risks if tenant isolation is compromised. For organizations relying on this plugin for critical functionality, such changes could affect business processes or user experience. Since exploitation requires an administrator to interact with a malicious link, the risk is somewhat mitigated by user awareness but remains significant in environments with less vigilant administrators. The vulnerability could be leveraged as part of a broader attack chain, especially in environments where tenant ID integrity is critical. Overall, the impact is moderate but should not be underestimated in high-value or multi-tenant WordPress deployments.

To mitigate CVE-2025-0990, organizations should first check for and apply any official patches or updates from webtroniclabs as they become available. In the absence of an official patch, administrators can implement manual nonce validation in the iamgloria23_gloria_settings_page function by verifying WordPress nonces before processing any state-changing requests. Additionally, administrators should be trained to recognize and avoid clicking suspicious links, especially those received from untrusted sources. Implementing Content Security Policy (CSP) headers and SameSite cookie attributes can reduce the risk of CSRF attacks by restricting cross-origin requests. Monitoring administrative actions and enabling logging for plugin configuration changes can help detect suspicious activity. Restricting administrative access to trusted networks or VPNs can further reduce exposure. Finally, consider disabling or replacing the I Am Gloria plugin if it is not essential or if a secure alternative exists.