The fmeaddons TopBar plugin for WordPress suffers from a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2025-10300. This vulnerability exists in all versions up to and including 1.0.0 due to missing or incorrect nonce validation in the function fme_nb_topbar_save_settings(). Nonces in WordPress are security tokens used to verify that requests to perform actions originate from legitimate users and not from forged requests. The absence or improper implementation of nonce validation allows an attacker to craft a malicious request that, when executed by an authenticated administrator (e.g., by clicking a link), can alter the plugin’s settings without the administrator’s consent. Since the vulnerability does not require authentication but does require user interaction, the attack vector involves social engineering techniques to trick administrators. The impact is limited to integrity as attackers can change plugin configurations, potentially leading to further security or operational issues. The vulnerability does not affect confidentiality or availability directly. The CVSS v3.1 base score is 4.3, reflecting a medium severity level due to the ease of exploitation (no privileges required) but limited impact scope. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability was reserved on 2025-09-11 and published on 2025-10-15.

This vulnerability primarily impacts the integrity of the affected WordPress sites by allowing unauthorized modification of the TopBar plugin settings. If exploited, attackers could alter the plugin’s behavior, potentially enabling further attacks such as redirecting users, injecting malicious content, or disabling security features. While it does not directly compromise confidentiality or availability, the unauthorized changes could facilitate subsequent attacks or degrade user trust. Organizations relying on this plugin, especially those with high-privilege administrators, face risks of configuration tampering that could lead to broader security incidents. Given WordPress’s widespread use globally, the vulnerability could affect numerous websites, including corporate, governmental, and e-commerce platforms. The requirement for user interaction (administrator clicking a malicious link) somewhat limits exploitation but does not eliminate risk, especially in environments where phishing or social engineering is common. The absence of known exploits in the wild suggests limited current exploitation but does not preclude future attacks once exploit code becomes available.

To mitigate this vulnerability, organizations should immediately verify if they use the fmeaddons TopBar plugin and identify the version in use. Since no official patch is currently linked, administrators should implement manual nonce validation in the fme_nb_topbar_save_settings() function to ensure that all state-changing requests include a valid WordPress nonce token. This involves adding checks using WordPress functions such as check_admin_referer() or wp_verify_nonce() before processing settings updates. Additionally, administrators should educate users about the risks of clicking unsolicited links, especially those that could trigger administrative actions. Restricting administrative access to trusted networks or using multi-factor authentication can reduce the risk of successful exploitation. Monitoring plugin settings for unauthorized changes and maintaining regular backups will help in quick recovery if exploitation occurs. Finally, stay alert for official patches or updates from fmeaddons and apply them promptly once available.