CVE-2025-10375 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the Web Accessibility by accessiBe plugin for WordPress, affecting all versions up to and including 2.10. The root cause is the absence of nonce validation on several AJAX endpoints such as accessibe_signup, accessibe_login, accessibe_license_trial, accessibe_modify_config, and accessibe_add_verification_page. Nonce tokens are security measures designed to ensure that requests originate from legitimate users and not from forged sources. Without this validation, attackers can craft malicious web pages or emails that, when visited or clicked by an authenticated site administrator, cause the administrator's browser to perform unauthorized actions on the vulnerable WordPress site. These actions include modifying plugin configurations and creating verification files, potentially undermining site integrity and security posture. The vulnerability does not require the attacker to be authenticated but does require the administrator's interaction, such as clicking a crafted link. The CVSS 3.1 base score of 4.3 reflects a medium severity level, with network attack vector, low attack complexity, no privileges required, user interaction needed, and limited impact on integrity but no impact on confidentiality or availability. Currently, there are no known exploits in the wild, and no official patches have been linked yet. The vulnerability was published on October 11, 2025, and assigned by Wordfence. This issue is categorized under CWE-352, which covers CSRF vulnerabilities.

For European organizations, this vulnerability poses a risk primarily to the integrity of WordPress sites using the Web Accessibility by accessiBe plugin. Unauthorized modification of plugin settings could disrupt accessibility features, potentially violating EU accessibility regulations such as the European Accessibility Act. Creation of verification files by attackers might be leveraged for further malicious activities, including site defacement or facilitating additional attacks. Although confidentiality and availability impacts are minimal, the integrity compromise could damage organizational reputation and compliance standing. Given the widespread use of WordPress across Europe and increasing emphasis on web accessibility compliance, organizations in sectors like government, education, and public services are particularly vulnerable. The requirement for administrator interaction means social engineering could be a vector, increasing the risk if phishing defenses are weak. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits post-disclosure.

European organizations should immediately audit their WordPress installations to identify use of the Web Accessibility by accessiBe plugin and verify the version in use. Until an official patch is released, administrators should implement the following mitigations: (1) Restrict administrator access and educate administrators about the risks of clicking unsolicited links or visiting untrusted websites while logged into WordPress. (2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious AJAX requests targeting the vulnerable plugin endpoints. (3) Disable or restrict AJAX actions related to the plugin if feasible, especially those exposed without nonce validation. (4) Monitor logs for unusual configuration changes or verification file creations. (5) Consider temporarily deactivating the plugin if accessibility compliance can be maintained through alternative means. (6) Stay updated with vendor communications for official patches and apply them promptly once available. (7) Enhance phishing awareness training to reduce the risk of administrator interaction with malicious content. These steps go beyond generic advice by focusing on immediate risk reduction through access control, monitoring, and WAF rule tuning.