The Comment Info Detector plugin for WordPress, developed by tom_riddle, suffers from a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2025-10311. This vulnerability exists in all versions up to and including 1.0.5 due to the absence of nonce validation on the options.php file, which handles form submissions for plugin settings. Nonce validation is a security mechanism used in WordPress to ensure that requests modifying state originate from legitimate users and not from forged requests. Without this protection, an attacker can craft a malicious link or webpage that, when visited by a site administrator, causes the administrator's browser to submit unauthorized requests to the plugin, thereby changing its settings without consent. The attack does not require the attacker to be authenticated, but it does require the administrator to interact with the malicious content (e.g., clicking a link). The vulnerability impacts the integrity of the plugin's configuration but does not directly expose confidential data or disrupt service availability. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) reflects that the attack is network-based, requires low attack complexity, no privileges, but does require user interaction, and affects only integrity. No patches or fixes are currently linked, and no exploits have been reported in the wild as of the publication date (October 3, 2025).

The primary impact of this vulnerability is unauthorized modification of the Comment Info Detector plugin settings by an attacker who can trick an administrator into performing an action. This can lead to misconfiguration that might degrade the security posture of the WordPress site, potentially enabling further attacks such as privilege escalation, data manipulation, or enabling malicious plugin behavior. While it does not directly compromise confidentiality or availability, altered settings could indirectly facilitate other attacks or disrupt normal plugin operations. Organizations relying on this plugin risk unauthorized changes that could undermine trust in site integrity and complicate incident response. Since WordPress is widely used globally, sites using this plugin are exposed to this risk until mitigated.

To mitigate this vulnerability, site administrators should immediately restrict administrative access and avoid interacting with untrusted links or content that could trigger CSRF attacks. Developers or site maintainers should implement nonce validation in the options.php form handling to ensure that all state-changing requests are verified as legitimate. Until an official patch is released, consider disabling or removing the Comment Info Detector plugin to eliminate exposure. Employ web application firewalls (WAFs) with rules to detect and block CSRF attack patterns targeting WordPress admin endpoints. Additionally, educate administrators on the risks of clicking unsolicited links while logged into admin accounts. Monitor plugin updates from the vendor and apply patches promptly once available. Regularly audit plugin configurations for unauthorized changes to detect exploitation attempts early.