CVE-2025-3867 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the Ajax Comment Form CST plugin for WordPress, specifically affecting all versions up to 1.2. The root cause is the absence or incorrect implementation of nonce validation on the 'acform_cst_settings' administrative page. Nonces are security tokens used to verify the legitimacy of requests to prevent CSRF attacks. Without proper nonce validation, an attacker can craft a malicious request that, when executed by an authenticated administrator (e.g., by clicking a link), allows unauthorized modification of plugin settings. This modification can include injecting malicious JavaScript code, leading to Cross-Site Scripting (CWE-79). The vulnerability requires no privileges for the attacker but does require user interaction, specifically that an administrator is tricked into performing the action. The CVSS v3.1 score of 6.1 reflects a medium severity, with network attack vector, low attack complexity, no privileges required, user interaction required, and a scope change indicating that the vulnerability affects resources beyond the initially vulnerable component. The impact includes potential confidentiality and integrity breaches through script injection, which could be used for session hijacking, defacement, or further exploitation. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability is relevant to all WordPress sites using the Ajax Comment Form CST plugin, which is a niche but potentially widely deployed plugin for comment management.

The primary impact of CVE-2025-3867 is unauthorized modification of plugin settings and injection of malicious scripts via CSRF, which can lead to Cross-Site Scripting attacks. This compromises the confidentiality and integrity of affected WordPress sites by allowing attackers to execute arbitrary JavaScript in the context of the administrator's browser. Potential consequences include session hijacking, credential theft, defacement, and pivoting to further attacks within the site or network. Since the vulnerability requires an administrator to be tricked into clicking a malicious link, social engineering is a key factor, increasing the risk in environments with less security awareness. The scope change in the CVSS vector indicates that the vulnerability affects components beyond the plugin itself, potentially impacting the entire WordPress site. Organizations running websites with this plugin are at risk of reputational damage, data breaches, and loss of user trust. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as exploit code could be developed and shared. The vulnerability is particularly impactful for organizations relying on WordPress for customer engagement, content management, or e-commerce, where trust and data integrity are critical.

To mitigate CVE-2025-3867, organizations should first verify if they use the Ajax Comment Form CST plugin and identify the version in use. Immediate mitigation includes restricting administrative access to trusted personnel only and enforcing multi-factor authentication (MFA) to reduce the risk of compromised admin accounts. Administrators should be trained to recognize phishing attempts and avoid clicking suspicious links, especially those that could trigger administrative actions. Since no official patch is currently available, consider temporarily disabling or removing the plugin until a fix is released. Implement Web Application Firewall (WAF) rules to detect and block CSRF attack patterns targeting the 'acform_cst_settings' endpoint. Monitor logs for unusual POST requests or changes to plugin settings. Additionally, site owners can implement Content Security Policy (CSP) headers to limit the impact of injected scripts. Regular backups and incident response plans should be updated to quickly recover from potential exploitation. Finally, stay informed about updates from the plugin vendor or WordPress security advisories to apply patches promptly once available.