The Web Accessibility by accessiBe plugin for WordPress, widely used to enhance website accessibility compliance, contains a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2025-10375. This vulnerability exists in all versions up to and including 2.10 due to the absence of nonce validation on several AJAX endpoints, including accessibe_signup, accessibe_login, accessibe_license_trial, accessibe_modify_config, and accessibe_add_verification_page. Nonce tokens are security measures designed to ensure that requests originate from legitimate users and not from malicious third-party sites. Without nonce validation, attackers can craft malicious web pages or emails that, when visited or clicked by an authenticated site administrator, cause the administrator's browser to send unauthorized requests to the vulnerable plugin. These requests can modify plugin settings or create verification files, potentially altering site behavior or enabling further attacks. The vulnerability requires no authentication but does require user interaction (clicking a link). The CVSS v3.1 score is 4.3 (medium severity), reflecting the limited impact on confidentiality and availability but a notable integrity risk. No patches or exploits are currently publicly available, but the vulnerability's presence in a popular plugin makes it a candidate for future exploitation. The issue highlights the importance of implementing nonce validation in AJAX actions to prevent CSRF attacks in WordPress plugins.

The primary impact of this vulnerability is on the integrity of the affected websites. An attacker can manipulate plugin configurations or add verification files without authorization, potentially undermining site accessibility features or enabling further malicious activities such as site defacement or privilege escalation. Although confidentiality and availability are not directly impacted, unauthorized configuration changes can degrade user experience and compliance with accessibility standards, which may have legal and reputational consequences. Organizations relying on this plugin risk unauthorized modifications that could disrupt accessibility compliance or introduce security weaknesses. The requirement for administrator interaction limits the attack scope but does not eliminate risk, especially in environments where administrators may be targeted by phishing or social engineering. The vulnerability could be leveraged as part of a broader attack chain, increasing its potential impact. Given the widespread use of WordPress and accessibility plugins, the threat affects a broad range of organizations, including government, education, healthcare, and commercial sectors.

To mitigate this vulnerability, organizations should immediately update the Web Accessibility by accessiBe plugin to a version that includes nonce validation on all AJAX actions once available. Until a patch is released, administrators should minimize exposure by restricting administrative access and educating administrators about the risks of clicking unsolicited links. Implementing Web Application Firewall (WAF) rules to detect and block suspicious AJAX requests lacking valid nonces can provide temporary protection. Additionally, enabling multi-factor authentication (MFA) for WordPress administrator accounts reduces the risk of account compromise. Regularly auditing plugin configurations and monitoring for unauthorized changes can help detect exploitation attempts. Developers should review all AJAX endpoints in their plugins to ensure nonce validation is enforced consistently. Finally, organizations should maintain an incident response plan to address potential exploitation swiftly.