CVE-2025-13521 is a medium-severity security vulnerability classified as CWE-352 (Cross-Site Request Forgery) found in the WP Status Notifier plugin for WordPress, maintained by fulippo. The vulnerability exists in all plugin versions up to and including 1.0 due to missing or incorrect nonce validation during the settings update process. Nonces in WordPress are security tokens used to verify that requests are intentional and originate from legitimate users. Without proper nonce validation, an attacker can craft a malicious request that, when executed by an authenticated administrator (e.g., via clicking a link), causes unauthorized changes to the plugin's configuration. This attack vector requires no authentication on the attacker’s part but does require user interaction from an administrator, making it a targeted but feasible attack. The vulnerability affects the integrity of the plugin’s settings but does not compromise confidentiality or availability. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) reflects that the attack can be performed remotely over the network with low complexity, no privileges required, user interaction needed, and impacts integrity only. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability is significant for WordPress sites using this plugin, as unauthorized configuration changes could lead to further security issues or misconfigurations.

The primary impact of this vulnerability is on the integrity of the WP Status Notifier plugin’s settings. An attacker who successfully exploits this vulnerability can alter plugin configurations without authorization, potentially enabling malicious behaviors such as disabling notifications, redirecting alerts, or modifying plugin operations in a way that could facilitate further attacks or reduce site security. Although confidentiality and availability are not directly affected, the integrity compromise could indirectly lead to broader security risks if attackers leverage altered settings to weaken defenses or conceal malicious activity. Organizations running WordPress sites with this plugin are at risk of unauthorized administrative changes, which could undermine trust in site monitoring and alerting mechanisms. The requirement for user interaction limits mass exploitation but targeted attacks against administrators remain a concern. Given WordPress’s widespread use globally, the vulnerability could affect a significant number of sites, especially those that have not implemented additional CSRF protections or security best practices.

To mitigate this vulnerability, organizations should implement the following specific measures: 1) Immediately update the WP Status Notifier plugin once a patched version is released by the vendor to ensure proper nonce validation is enforced. 2) Until a patch is available, restrict administrative access to trusted networks or use multi-factor authentication to reduce the risk of an administrator being tricked into clicking malicious links. 3) Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests that attempt to update plugin settings without valid nonces. 4) Educate administrators about the risks of clicking on unsolicited links, especially those that could trigger administrative actions. 5) Regularly audit plugin configurations and logs for unauthorized changes to detect potential exploitation attempts early. 6) Consider disabling or removing the plugin if it is not essential to reduce the attack surface. 7) Implement Content Security Policy (CSP) headers and SameSite cookie attributes to help mitigate CSRF risks across the WordPress site. These targeted steps go beyond generic advice by focusing on immediate risk reduction and monitoring until a vendor patch is available.