CVE-2025-28887 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the Fastmover Plugins Last Updated Column plugin, specifically in versions up to 0.1.3. CSRF vulnerabilities occur when a web application does not adequately verify that requests modifying state originate from legitimate users, allowing attackers to craft malicious web pages that cause authenticated users to unknowingly perform unwanted actions. In this case, the plugin fails to implement sufficient anti-CSRF tokens or validation mechanisms to confirm the legitimacy of requests affecting the plugin's functionality. An attacker can exploit this by luring an authenticated user to a malicious website, which then sends crafted requests to the vulnerable plugin, potentially altering plugin settings or data without the user's consent. The vulnerability affects all versions up to 0.1.3, with no patches or fixes currently linked. Although no known exploits have been reported in the wild, the risk remains due to the plugin's usage in WordPress environments. The vulnerability does not appear to allow privilege escalation or direct data exfiltration but can lead to unauthorized changes that may affect site integrity or availability. The lack of a CVSS score requires a severity assessment based on the vulnerability's characteristics, including the need for user authentication and the absence of user interaction beyond visiting a malicious page.

The primary impact of this CSRF vulnerability is unauthorized state changes within websites using the Fastmover Plugins Last Updated Column plugin. Attackers can exploit this flaw to manipulate plugin settings or data, potentially disrupting site functionality or causing misinformation about plugin update statuses. While it does not directly lead to data breaches or remote code execution, unauthorized changes can undermine site integrity and user trust. Organizations relying on this plugin may face operational disruptions, increased administrative overhead to detect and revert unauthorized changes, and reputational damage if users are affected. Since exploitation requires an authenticated user, the threat is limited to sites with logged-in users, such as administrators or editors, increasing the risk in environments with multiple privileged users. The absence of known exploits reduces immediate risk but does not eliminate the potential for future attacks. Overall, the vulnerability could be leveraged as part of a broader attack chain, especially in targeted attacks against high-value WordPress sites.

To mitigate this vulnerability, organizations should first check for any official patches or updates from Fastmover and apply them promptly once available. In the absence of patches, administrators can implement several practical measures: 1) Employ Web Application Firewalls (WAFs) with rules designed to detect and block CSRF attack patterns targeting the plugin's endpoints. 2) Enforce strict Content Security Policies (CSP) to reduce the risk of malicious cross-site requests. 3) Limit the number of users with administrative or editor privileges to reduce the attack surface. 4) Educate users about the risks of visiting untrusted websites while authenticated to sensitive sites. 5) Implement additional CSRF protections at the web server or application level, such as custom tokens or referer header validation, if feasible. 6) Monitor logs for unusual POST requests or changes related to the plugin to detect potential exploitation attempts early. 7) Consider temporarily disabling or replacing the plugin if the risk is unacceptable and no patch is available. These steps provide layered defense beyond generic advice and help reduce the likelihood and impact of exploitation.