CVE-2025-60208 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the Tusko Trush Advanced Custom Fields : CPT Options Pages plugin, specifically versions up to 2.0.9. The vulnerability arises due to insufficient CSRF protections in the plugin's handling of CPT (Custom Post Type) options pages, allowing attackers to trick authenticated users into submitting malicious requests. This can lead to object injection, where crafted input manipulates the application’s internal objects, potentially resulting in unauthorized data modification, privilege escalation, or code execution depending on the context. The CVSS 3.1 base score of 8.8 indicates a high-severity issue with network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The impact covers confidentiality, integrity, and availability (C:H/I:H/A:H), meaning an attacker can fully compromise the affected system’s data and functionality. Although no public exploits are currently reported, the vulnerability’s nature and high score suggest it could be weaponized rapidly once disclosed. The plugin is commonly used in WordPress environments to extend content management capabilities, making it a valuable target for attackers aiming to compromise websites and their data. The lack of available patches at the time of disclosure necessitates immediate mitigation efforts by administrators.

For European organizations, this vulnerability poses a significant threat due to the widespread use of WordPress and its plugins across government, enterprise, and SME sectors. Exploitation could lead to unauthorized changes in website content, injection of malicious code, data leakage, or complete site takeover, impacting business continuity and reputation. Sensitive personal data protected under GDPR could be exposed, resulting in regulatory penalties and loss of customer trust. The high impact on confidentiality, integrity, and availability means that critical services relying on affected plugins could be disrupted, affecting e-commerce, public services, and internal communications. Additionally, the ease of exploitation without requiring privileges but needing user interaction (e.g., clicking a malicious link) increases the risk of successful attacks via phishing or social engineering campaigns targeting European users. The absence of known exploits currently provides a window for proactive defense, but the threat landscape could evolve quickly.

1. Monitor official channels for patches or updates from Tusko Trush and apply them immediately upon release. 2. Implement Web Application Firewall (WAF) rules to detect and block suspicious CSRF attempts targeting the CPT Options Pages endpoints. 3. Enforce strict CSRF token validation in all forms and AJAX requests related to the plugin’s functionality. 4. Limit administrative access to trusted IP ranges and enforce multi-factor authentication (MFA) to reduce the risk of compromised credentials being exploited. 5. Conduct regular security audits and penetration testing focusing on WordPress plugins and custom fields to identify similar vulnerabilities. 6. Educate users and administrators about phishing and social engineering risks to minimize user interaction exploitation. 7. Consider temporarily disabling or replacing the affected plugin with alternative solutions until a secure version is available. 8. Employ Content Security Policy (CSP) headers to mitigate the impact of injected scripts if exploitation occurs.