CVE-2025-60208 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the Tusko Trush Advanced Custom Fields : CPT Options Pages WordPress plugin, specifically affecting versions up to 2.0.9. This plugin is used to manage custom post type options pages within WordPress, a popular content management system. The vulnerability allows an attacker to craft malicious requests that, when executed by an authenticated user, can perform unauthorized actions due to insufficient CSRF protections. The technical root cause involves object injection facilitated by the CSRF flaw, enabling attackers to manipulate application state or execute arbitrary code within the context of the affected site. The CVSS v3.1 base score of 8.8 reflects the vulnerability's network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope is unchanged (S:U), and the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). This means an attacker can remotely induce a victim user to perform actions that compromise sensitive data, alter site content, or disrupt services. No patches or exploits are currently publicly available, but the vulnerability is published and should be considered critical for sites using this plugin. The lack of authentication requirement and the ability to exploit via CSRF make this vulnerability particularly dangerous for websites with logged-in users who have administrative or editing privileges. The plugin's role in managing custom fields means that exploitation could lead to unauthorized configuration changes or injection of malicious content, impacting the entire site’s security posture.

For European organizations, the impact of CVE-2025-60208 can be severe. Many European companies rely on WordPress for their web presence, including government, healthcare, education, and e-commerce sectors. Exploitation could lead to unauthorized data disclosure, defacement, or complete site takeover, resulting in reputational damage, regulatory penalties under GDPR, and operational disruptions. The high confidentiality impact means sensitive customer or internal data could be exposed. Integrity impact implies attackers could alter website content or configurations, potentially injecting malicious code or redirecting users to phishing sites. Availability impact suggests attackers might disrupt services, causing downtime and loss of business continuity. Given the plugin’s role in managing custom post type options, attackers might also manipulate backend settings, escalating the damage. The vulnerability’s ease of exploitation without authentication increases the risk profile, especially for sites with multiple users or editors. Organizations with public-facing WordPress sites that use this plugin are particularly vulnerable to targeted attacks or automated exploitation attempts. The absence of known exploits in the wild currently provides a window for proactive mitigation, but the threat remains significant.

1. Immediately audit all WordPress installations to identify usage of the Tusko Trush Advanced Custom Fields : CPT Options Pages plugin, especially versions up to 2.0.9. 2. Apply vendor-provided patches or updates as soon as they become available; monitor official channels for patch releases. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious CSRF attack patterns targeting the plugin’s endpoints. 4. Enforce strict CSRF token validation on all forms and actions related to the plugin to prevent unauthorized requests. 5. Limit user privileges by following the principle of least privilege, ensuring only trusted users have administrative or editing rights. 6. Monitor logs for unusual POST requests or changes to custom post type options pages that could indicate exploitation attempts. 7. Educate users about phishing and social engineering tactics that could be used to trick them into executing malicious requests. 8. Consider temporarily disabling or removing the plugin if it is not essential until a secure version is confirmed. 9. Conduct regular security assessments and penetration tests focusing on WordPress plugins and custom fields management. 10. Maintain up-to-date backups to enable rapid recovery in case of compromise.