CVE-2025-10375 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the Web Accessibility by accessiBe plugin for WordPress, affecting all versions up to and including 2.10. The vulnerability stems from the absence of nonce validation on several AJAX endpoints, including accessibe_signup, accessibe_login, accessibe_license_trial, accessibe_modify_config, and accessibe_add_verification_page. Nonce tokens are security measures designed to ensure that requests to change state originate from legitimate users and not from malicious third parties. Without nonce validation, an attacker can craft malicious web pages or links that, when visited or clicked by an authenticated site administrator, execute unauthorized actions on the vulnerable WordPress site. These actions can include changing plugin configurations or creating verification files, which could be leveraged to bypass security controls or prepare for further attacks. The vulnerability does not require the attacker to be authenticated but does require that the administrator interacts with the malicious content (user interaction). The CVSS v3.1 base score is 4.3, reflecting a medium severity primarily due to the limited impact on confidentiality and availability but a potential impact on integrity. No public exploits have been reported to date, but the vulnerability poses a risk to site integrity and trustworthiness. The plugin is widely used to ensure web accessibility compliance, making it a critical component for organizations aiming to meet legal accessibility standards.

For European organizations, this vulnerability could lead to unauthorized modification of accessibility plugin settings, potentially disrupting compliance with EU accessibility directives such as the Web Accessibility Directive (Directive (EU) 2016/2102). Altered configurations or unauthorized verification files could undermine the reliability of accessibility features, exposing organizations to legal and reputational risks. While the vulnerability does not directly compromise sensitive data confidentiality or availability, the integrity of the website’s accessibility compliance is at risk. This could affect public sector websites and private companies required to maintain accessibility standards. Additionally, attackers might leverage the altered plugin state as a foothold for further attacks or to evade detection. The requirement for user interaction (administrator clicking a malicious link) means social engineering is a key factor, emphasizing the importance of user awareness. The impact is more pronounced in organizations with high reliance on WordPress and the accessiBe plugin for accessibility compliance, especially those with public-facing websites serving diverse user groups.

Immediate mitigation should focus on updating the Web Accessibility by accessiBe plugin to a version that includes nonce validation once released by the vendor. Until a patch is available, administrators should restrict access to the WordPress admin dashboard to trusted networks and users, employing IP whitelisting or VPN access where possible. Implementing Content Security Policy (CSP) headers can reduce the risk of malicious external content triggering CSRF attacks. Administrators should be trained to recognize phishing attempts and avoid clicking suspicious links, especially when logged into administrative accounts. Additionally, deploying Web Application Firewalls (WAFs) with custom rules to detect and block suspicious AJAX requests targeting the vulnerable endpoints can provide a protective layer. Regular audits of plugin configurations and verification files should be conducted to detect unauthorized changes promptly. Finally, organizations should consider disabling or limiting the use of AJAX actions exposed without nonce validation until the vulnerability is resolved.