CVE-2025-12028: CWE-352 Cross-Site Request Forgery (CSRF) in indieweb IndieAuth
The IndieAuth plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.4. This is due to missing nonce verification on the `login_form_indieauth()` function and the authorization endpoint at wp-login.php?action=indieauth. This makes it possible for unauthenticated attackers to force authenticated users to approve OAuth authorization requests for attacker-controlled applications via a forged request granted they can trick a user into performing an action such as clicking on a link or visiting a malicious page while logged in. The attacker can then exchange the stolen authorization code for an access token, effectively taking over the victim's account with the granted scopes (create, update, delete).
AI Analysis
Technical Summary
The IndieAuth WordPress plugin suffers from a CSRF vulnerability due to absent nonce verification on critical authorization functions. Attackers can exploit this by crafting forged requests that cause logged-in users to unknowingly approve OAuth authorization for malicious applications. This leads to unauthorized issuance of access tokens, granting attackers the ability to perform actions such as creating, updating, or deleting content under the victim's identity. The vulnerability affects all versions up to 4.5.4 and has a CVSS 3.1 base score of 8.8, indicating high severity.
Potential Impact
An attacker can coerce authenticated users into authorizing OAuth tokens for attacker-controlled applications without their consent. This results in the attacker gaining access tokens with high privileges (create, update, delete), allowing them to take over the victim's account and perform unauthorized actions within the scope of the granted permissions. The compromise affects confidentiality, integrity, and availability of the victim's account and associated data.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should avoid using vulnerable versions of the IndieAuth plugin and consider disabling the plugin if possible. Monitoring for updates from the IndieWeb project or WordPress plugin repository is recommended to apply any forthcoming official fixes promptly.
CVE-2025-12028: CWE-352 Cross-Site Request Forgery (CSRF) in indieweb IndieAuth
Description
The IndieAuth plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.4. This is due to missing nonce verification on the `login_form_indieauth()` function and the authorization endpoint at wp-login.php?action=indieauth. This makes it possible for unauthenticated attackers to force authenticated users to approve OAuth authorization requests for attacker-controlled applications via a forged request granted they can trick a user into performing an action such as clicking on a link or visiting a malicious page while logged in. The attacker can then exchange the stolen authorization code for an access token, effectively taking over the victim's account with the granted scopes (create, update, delete).
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The IndieAuth WordPress plugin suffers from a CSRF vulnerability due to absent nonce verification on critical authorization functions. Attackers can exploit this by crafting forged requests that cause logged-in users to unknowingly approve OAuth authorization for malicious applications. This leads to unauthorized issuance of access tokens, granting attackers the ability to perform actions such as creating, updating, or deleting content under the victim's identity. The vulnerability affects all versions up to 4.5.4 and has a CVSS 3.1 base score of 8.8, indicating high severity.
Potential Impact
An attacker can coerce authenticated users into authorizing OAuth tokens for attacker-controlled applications without their consent. This results in the attacker gaining access tokens with high privileges (create, update, delete), allowing them to take over the victim's account and perform unauthorized actions within the scope of the granted permissions. The compromise affects confidentiality, integrity, and availability of the victim's account and associated data.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should avoid using vulnerable versions of the IndieAuth plugin and consider disabling the plugin if possible. Monitoring for updates from the IndieWeb project or WordPress plugin repository is recommended to apply any forthcoming official fixes promptly.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-10-21T15:30:05.581Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68fb3a1f0691a1b599160742
Added to database: 10/24/2025, 8:34:39 AM
Last enriched: 4/9/2026, 4:02:57 PM
Last updated: 5/10/2026, 3:13:48 AM
Views: 236
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.