CVE-2025-13629 is a medium-severity CSRF vulnerability in the WP Landing Page plugin for WordPress, affecting all versions up to and including 0.9.3. The root cause is the absence of nonce validation in the 'wplp_api_update_text' function, which is responsible for updating post meta data. Nonces in WordPress are security tokens used to verify that requests originate from legitimate users and prevent unauthorized actions. Without nonce validation, an attacker can craft a malicious request that, when executed by an authenticated administrator (e.g., by clicking a link), causes the server to process unauthorized changes to post meta fields. This attack does not require the attacker to be authenticated but depends on social engineering to induce administrator interaction. The vulnerability impacts data integrity by allowing unauthorized modification of content metadata but does not expose confidential information or disrupt service availability. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) indicates network attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, no confidentiality or availability impact, and limited integrity impact. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability was reserved on 2025-11-24 and published on 2025-12-06 by Wordfence.

The primary impact of this vulnerability is unauthorized modification of post meta data within WordPress sites using the vulnerable plugin. This can lead to data integrity issues, such as altered content metadata that may affect site behavior, SEO, or displayed information. While confidentiality and availability are not directly impacted, the integrity compromise can undermine trust in the website's content and functionality. Attackers can exploit this vulnerability remotely without authentication but require an administrator to perform an action (click a malicious link), making social engineering a key factor. Organizations with high-value content or strict content integrity requirements are at greater risk. Additionally, compromised post meta data could be leveraged in chained attacks or to facilitate further exploitation. Although no known exploits exist currently, the vulnerability's presence in a popular CMS plugin increases the likelihood of future exploitation attempts, especially as WordPress powers a significant portion of websites globally.

To mitigate this vulnerability, organizations should immediately verify if they are using the WP Landing Page plugin version 0.9.3 or earlier and upgrade to a patched version once available. In the absence of an official patch, site administrators or developers should implement nonce validation in the 'wplp_api_update_text' function to ensure requests are legitimate and originate from authorized users. This involves adding WordPress nonce checks (e.g., using wp_verify_nonce) before processing updates to post meta data. Additionally, administrators should be trained to recognize and avoid clicking suspicious or unsolicited links, especially those that could trigger administrative actions. Employing web application firewalls (WAFs) that can detect and block CSRF attack patterns may provide temporary protection. Regular security audits and monitoring for unusual post meta changes can help detect exploitation attempts early. Finally, limiting administrative privileges and using multi-factor authentication can reduce the risk of successful exploitation.