The WP Hallo Welt plugin for WordPress suffers from a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2025-13365, affecting all versions up to and including 1.4. The root cause is the absence or improper implementation of nonce validation in the 'hallo_welt_seite' function, which is intended to protect against unauthorized requests. Without this protection, attackers can craft malicious requests that, when executed by an authenticated administrator (via clicking a link or visiting a malicious page), result in unauthorized changes to plugin settings. Furthermore, due to insufficient input sanitization and output escaping, these unauthorized changes can include injection of malicious web scripts, leading to Stored Cross-Site Scripting (XSS). This combination elevates the risk as the attacker can persistently inject scripts that execute in the context of the administrator's browser, potentially stealing credentials, session tokens, or performing actions on behalf of the admin. The vulnerability does not require the attacker to be authenticated but does require the administrator's interaction, such as clicking a crafted link. The CVSS 3.1 score of 6.1 reflects a medium severity with network attack vector, low attack complexity, no privileges required, user interaction required, and a scope change due to the stored XSS impact. No patches or exploits are currently publicly available, but the vulnerability's presence in a WordPress plugin widely used in various sites makes it a relevant threat.

The primary impact of CVE-2025-13365 is unauthorized modification of plugin settings and persistent injection of malicious scripts via Stored XSS. This can compromise the confidentiality and integrity of the affected WordPress sites by enabling attackers to hijack administrator sessions, steal sensitive information, or perform administrative actions without consent. While availability is not directly affected, the injected scripts could be leveraged for further attacks such as phishing or malware distribution, indirectly impacting site trust and uptime. Organizations running the WP Hallo Welt plugin are at risk of administrative account compromise and site defacement or manipulation. Given WordPress's widespread use, this vulnerability could affect a broad range of websites, including corporate, governmental, and personal blogs, potentially leading to reputational damage and data breaches. The requirement for administrator interaction limits mass exploitation but targeted attacks against high-value sites remain a concern.

To mitigate this vulnerability, organizations should immediately update the WP Hallo Welt plugin to a version that includes proper nonce validation and input sanitization once available. Until a patch is released, administrators should consider disabling or uninstalling the plugin to eliminate the attack surface. Implementing Web Application Firewall (WAF) rules to detect and block suspicious CSRF attempts targeting the 'hallo_welt_seite' function can provide temporary protection. Additionally, administrators should be trained to avoid clicking on untrusted links and to verify the legitimacy of requests affecting plugin settings. Enforcing least privilege principles by limiting administrative access and monitoring logs for unusual configuration changes can help detect exploitation attempts. Regular security audits and scanning for stored XSS payloads in plugin settings are recommended to identify and remediate any injected malicious scripts.