CVE-2025-5930: CWE-352 Cross-Site Request Forgery (CSRF) in digitalacornjp WP2HTML
The WP2HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the save() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
AI Analysis
Technical Summary
CVE-2025-5930 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the WP2HTML plugin for WordPress, developed by digitalacornjp. This vulnerability exists in all versions up to and including 1.0.2 due to missing or incorrect nonce validation in the plugin's save() function. Nonces in WordPress are security tokens used to verify that requests to perform sensitive actions originate from legitimate users and not from forged requests. The absence or improper implementation of nonce validation allows an attacker to craft a malicious request that, when executed by an authenticated site administrator (e.g., by clicking a link or visiting a malicious page), can alter the plugin's settings without the administrator's consent or knowledge. The vulnerability does not require the attacker to be authenticated, but it does require user interaction from an administrator. The CVSS v3.1 base score is 4.3 (medium severity), reflecting that the attack vector is network-based, requires no privileges, but does require user interaction. The impact is limited to integrity, as confidentiality and availability are not affected. No known exploits are currently reported in the wild, and no official patches or updates have been published at the time of this report. The vulnerability is classified under CWE-352, which covers CSRF weaknesses that allow unauthorized commands to be transmitted from a user that the web application trusts.
Potential Impact
For European organizations using WordPress sites with the WP2HTML plugin, this vulnerability poses a moderate risk to the integrity of their website configurations. An attacker exploiting this flaw could modify plugin settings, potentially leading to unauthorized changes in how content is rendered or processed, which could be leveraged for further attacks such as content injection or defacement. Although the vulnerability does not directly compromise confidentiality or availability, altered plugin settings could indirectly facilitate phishing, misinformation, or degrade user trust. The requirement for administrator interaction limits the attack scope but does not eliminate risk, especially in environments where administrators may be targeted via social engineering or spear-phishing campaigns. Organizations with high-profile or public-facing WordPress sites, including government, media, and e-commerce sectors, could face reputational damage or operational disruptions if exploited. The lack of known active exploits reduces immediate risk but should not lead to complacency, as attackers often develop exploits rapidly once vulnerabilities are disclosed.
Mitigation Recommendations
1. Immediate mitigation involves educating WordPress site administrators to avoid clicking on suspicious links or visiting untrusted websites while logged into the WordPress admin panel. 2. Implement web application firewalls (WAFs) with custom rules to detect and block suspicious POST requests targeting the WP2HTML plugin's save() function. 3. Restrict administrative access to trusted IP addresses or VPNs to reduce exposure to CSRF attacks. 4. Monitor WordPress logs for unusual changes to plugin settings or unexpected POST requests. 5. Developers or site maintainers should implement or enforce proper nonce validation in the WP2HTML plugin's save() function to ensure that only legitimate requests from authenticated administrators are processed. 6. Until an official patch is released, consider disabling or removing the WP2HTML plugin if it is not critical to operations. 7. Regularly back up WordPress site configurations and content to enable quick restoration if unauthorized changes occur. 8. Employ Content Security Policy (CSP) headers to reduce the risk of malicious content injection that could facilitate CSRF attacks.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden
CVE-2025-5930: CWE-352 Cross-Site Request Forgery (CSRF) in digitalacornjp WP2HTML
Description
The WP2HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the save() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
AI-Powered Analysis
Technical Analysis
CVE-2025-5930 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the WP2HTML plugin for WordPress, developed by digitalacornjp. This vulnerability exists in all versions up to and including 1.0.2 due to missing or incorrect nonce validation in the plugin's save() function. Nonces in WordPress are security tokens used to verify that requests to perform sensitive actions originate from legitimate users and not from forged requests. The absence or improper implementation of nonce validation allows an attacker to craft a malicious request that, when executed by an authenticated site administrator (e.g., by clicking a link or visiting a malicious page), can alter the plugin's settings without the administrator's consent or knowledge. The vulnerability does not require the attacker to be authenticated, but it does require user interaction from an administrator. The CVSS v3.1 base score is 4.3 (medium severity), reflecting that the attack vector is network-based, requires no privileges, but does require user interaction. The impact is limited to integrity, as confidentiality and availability are not affected. No known exploits are currently reported in the wild, and no official patches or updates have been published at the time of this report. The vulnerability is classified under CWE-352, which covers CSRF weaknesses that allow unauthorized commands to be transmitted from a user that the web application trusts.
Potential Impact
For European organizations using WordPress sites with the WP2HTML plugin, this vulnerability poses a moderate risk to the integrity of their website configurations. An attacker exploiting this flaw could modify plugin settings, potentially leading to unauthorized changes in how content is rendered or processed, which could be leveraged for further attacks such as content injection or defacement. Although the vulnerability does not directly compromise confidentiality or availability, altered plugin settings could indirectly facilitate phishing, misinformation, or degrade user trust. The requirement for administrator interaction limits the attack scope but does not eliminate risk, especially in environments where administrators may be targeted via social engineering or spear-phishing campaigns. Organizations with high-profile or public-facing WordPress sites, including government, media, and e-commerce sectors, could face reputational damage or operational disruptions if exploited. The lack of known active exploits reduces immediate risk but should not lead to complacency, as attackers often develop exploits rapidly once vulnerabilities are disclosed.
Mitigation Recommendations
1. Immediate mitigation involves educating WordPress site administrators to avoid clicking on suspicious links or visiting untrusted websites while logged into the WordPress admin panel. 2. Implement web application firewalls (WAFs) with custom rules to detect and block suspicious POST requests targeting the WP2HTML plugin's save() function. 3. Restrict administrative access to trusted IP addresses or VPNs to reduce exposure to CSRF attacks. 4. Monitor WordPress logs for unusual changes to plugin settings or unexpected POST requests. 5. Developers or site maintainers should implement or enforce proper nonce validation in the WP2HTML plugin's save() function to ensure that only legitimate requests from authenticated administrators are processed. 6. Until an official patch is released, consider disabling or removing the WP2HTML plugin if it is not critical to operations. 7. Regularly back up WordPress site configurations and content to enable quick restoration if unauthorized changes occur. 8. Employ Content Security Policy (CSP) headers to reduce the risk of malicious content injection that could facilitate CSRF attacks.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-06-09T14:46:26.544Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 684b8f24358c65714e6b57aa
Added to database: 6/13/2025, 2:38:28 AM
Last enriched: 6/13/2025, 2:54:39 AM
Last updated: 7/30/2025, 4:17:17 PM
Views: 15
Related Threats
CVE-2025-9002: SQL Injection in Surbowl dormitory-management-php
MediumCVE-2025-9001: Stack-based Buffer Overflow in LemonOS
MediumCVE-2025-8867: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in iqonicdesign Graphina – Elementor Charts and Graphs
MediumCVE-2025-8680: CWE-918 Server-Side Request Forgery (SSRF) in bplugins B Slider- Gutenberg Slider Block for WP
MediumCVE-2025-8676: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in bplugins B Slider- Gutenberg Slider Block for WP
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.