CVE-2025-60156 is a critical Cross-Site Request Forgery (CSRF) vulnerability affecting the 'AR For WordPress' plugin developed by webandprint. This vulnerability allows an unauthenticated attacker to trick an authenticated WordPress administrator into executing unwanted actions, specifically enabling the upload of a web shell to the web server hosting the WordPress site. The vulnerability exists in versions up to 7.98 of the plugin. CSRF vulnerabilities exploit the trust a web application places in the user's browser, allowing attackers to perform state-changing requests without the user's consent or knowledge. In this case, the attacker can leverage the CSRF flaw to bypass normal upload restrictions and inject malicious code (web shell), which can then be used to execute arbitrary commands on the server, leading to full compromise of the affected system. The CVSS v3.1 score of 9.6 (critical) reflects the high impact on confidentiality, integrity, and availability, with no privileges required and low attack complexity. The vulnerability requires user interaction (the administrator must visit a crafted URL or page), but no authentication or prior access is needed by the attacker. No patches or fixes have been published at the time of this report, and no known exploits are currently observed in the wild, though the severity and ease of exploitation make it a high-risk threat once weaponized. The vulnerability is categorized under CWE-352, which is a well-known web security weakness related to CSRF attacks.

For European organizations using WordPress sites with the AR For WordPress plugin (versions up to 7.98), this vulnerability poses a severe risk. Successful exploitation can lead to full server compromise, allowing attackers to upload web shells and execute arbitrary commands, potentially leading to data theft, defacement, ransomware deployment, or pivoting to internal networks. This can severely impact confidentiality, integrity, and availability of organizational data and services. Given the widespread use of WordPress in Europe for corporate, governmental, and e-commerce websites, the threat could disrupt critical services and damage reputations. Additionally, the ability to execute code remotely without authentication increases the risk of large-scale automated attacks targeting vulnerable sites. Organizations in regulated sectors such as finance, healthcare, and public administration face heightened risks due to potential data breaches and compliance violations under GDPR and other regulations.

1. Immediate mitigation should include disabling or uninstalling the AR For WordPress plugin until a security patch is released. 2. Implement strict Content Security Policy (CSP) headers and SameSite cookie attributes to reduce CSRF risks. 3. Restrict administrative access to trusted IP addresses and enforce multi-factor authentication (MFA) for WordPress admin accounts to reduce the risk of CSRF exploitation. 4. Monitor web server logs and WordPress activity logs for suspicious upload attempts or unusual administrator actions. 5. Employ Web Application Firewalls (WAF) with custom rules to detect and block CSRF attack patterns targeting the plugin’s upload functionality. 6. Regularly update WordPress core and all plugins, and subscribe to vendor security advisories for timely patching once available. 7. Conduct security audits and penetration tests focusing on CSRF and file upload functionalities. 8. Educate administrators about the risks of clicking untrusted links while logged into WordPress admin dashboards.