CVE-2025-32477 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the WP-Easy Menu plugin for WordPress, developed by Jordi Salord. This vulnerability affects all versions up to and including 0.41. CSRF vulnerabilities allow attackers to trick authenticated users into submitting unwanted requests to a web application, leveraging the victim's credentials and privileges. In this case, the CSRF flaw enables an attacker to perform unauthorized actions that result in Stored Cross-Site Scripting (XSS). Stored XSS occurs when malicious scripts are permanently injected into a target website’s content, which then executes in the browsers of users visiting the site. This can lead to session hijacking, defacement, or redirection to malicious sites. The vulnerability requires the victim to be authenticated on the affected WordPress site and to visit a maliciously crafted webpage controlled by the attacker. No CVSS score has been assigned yet, and no official patches or exploit code are publicly available. The vulnerability was published on April 9, 2025, and is tracked under CVE-2025-32477. The absence of patches means that affected sites remain vulnerable until the vendor releases a fix or mitigations are applied. This vulnerability is particularly critical because WordPress powers a large portion of the web, and plugins like WP-Easy Menu are widely used to manage site navigation, making them attractive targets for attackers seeking to compromise site integrity and user trust.

The impact of CVE-2025-32477 on organizations worldwide can be significant. Successful exploitation allows attackers to perform unauthorized actions via CSRF, leading to Stored XSS attacks that can compromise the confidentiality, integrity, and availability of affected websites. Confidentiality may be breached through session hijacking or theft of sensitive user data. Integrity can be compromised by injecting malicious scripts that alter site content or behavior. Availability could be affected if attackers use the vulnerability to deface the site or disrupt normal operations. For organizations relying on WP-Easy Menu, especially those with high traffic or sensitive user data, this vulnerability could lead to reputational damage, loss of customer trust, and potential regulatory penalties. The lack of an official patch increases the window of exposure. Attackers do not require advanced privileges beyond victim authentication, but user interaction (visiting a malicious page) is necessary. This vulnerability also increases the attack surface for further exploitation, such as phishing or malware distribution through compromised sites.

To mitigate CVE-2025-32477, organizations should take immediate and specific actions beyond generic advice: 1) Temporarily disable the WP-Easy Menu plugin until an official patch is released to eliminate the attack vector. 2) Restrict administrative access to trusted IP addresses or VPNs to reduce the risk of CSRF exploitation. 3) Implement Web Application Firewall (WAF) rules that detect and block suspicious CSRF attempts targeting the plugin’s endpoints. 4) Educate authenticated users, especially administrators, about the risks of visiting untrusted websites while logged into the WordPress admin panel. 5) Monitor web server and application logs for unusual POST requests or changes to menu configurations indicative of exploitation attempts. 6) Regularly back up website data and configurations to enable rapid recovery if compromise occurs. 7) Follow Jordi Salord’s official channels for updates and apply patches promptly once available. 8) Consider employing security plugins that add CSRF tokens and additional input validation to WordPress forms as a temporary protective measure. These targeted steps will help reduce the risk and impact of exploitation until a permanent fix is deployed.