CVE-2025-30764 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the AntoineH Football Pool plugin, a WordPress plugin used to manage football pools and related competitions. The vulnerability affects all versions up to and including 2.12.2. CSRF vulnerabilities occur when a web application does not adequately verify that requests modifying state originate from legitimate users, allowing attackers to craft malicious web pages that cause authenticated users to unknowingly perform actions such as changing settings, submitting forms, or triggering transactions. In this case, the Football Pool plugin fails to implement proper CSRF protections, such as anti-CSRF tokens or origin checks, enabling attackers to exploit this flaw. Although no exploits have been reported in the wild, the vulnerability poses a risk to the integrity of the application’s data and potentially its availability if destructive actions are possible. The attack requires the victim to be logged into the Football Pool application and to visit a malicious website or click a crafted link, which limits the ease of exploitation. The plugin is primarily used within WordPress environments, which are widely deployed globally, especially in countries with large WordPress user bases and active football fan communities. The absence of a CVSS score necessitates a severity assessment based on impact and exploitability factors.

The primary impact of this CSRF vulnerability is on the integrity of the Football Pool application’s data and configuration. An attacker could leverage this flaw to perform unauthorized actions on behalf of authenticated users, such as modifying pool settings, submitting or altering entries, or potentially disrupting the normal operation of the plugin. This could lead to data corruption, loss of trust in the application, or denial of service if critical configurations are changed. Confidentiality impact is limited since the vulnerability does not directly expose sensitive data. The requirement for user authentication and interaction reduces the attack surface but does not eliminate risk, especially in environments where users have elevated privileges. Organizations using the Football Pool plugin, particularly those running public or community-facing websites, may face reputational damage and operational disruption if exploited. The lack of known exploits suggests limited current threat activity, but the vulnerability should be addressed promptly to prevent future abuse.

To mitigate this CSRF vulnerability, organizations should immediately update the AntoineH Football Pool plugin to a version that includes proper CSRF protections once available. In the absence of an official patch, administrators can implement the following measures: 1) Restrict access to the Football Pool plugin’s administrative interfaces to trusted users and IP addresses where feasible. 2) Employ web application firewalls (WAFs) that can detect and block CSRF attack patterns or anomalous requests. 3) Educate users about the risks of clicking on untrusted links or visiting suspicious websites while authenticated. 4) Implement additional security controls at the WordPress level, such as two-factor authentication and session management policies, to reduce the risk of session hijacking. 5) Monitor logs for unusual activities related to Football Pool plugin actions. 6) Consider custom development to add nonce or token verification to plugin forms and state-changing requests if immediate patching is not possible. These steps help reduce the risk until an official patch is released.