CVE-2025-6064 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the djerba WP URL Shortener plugin for WordPress, affecting all versions up to and including 1.2. The root cause is the absence or improper implementation of nonce validation on the 'url_shortener_settings' administrative page. Nonces in WordPress are security tokens used to verify that requests originate from legitimate users and not from malicious third-party sites. Without proper nonce checks, an attacker can craft a malicious web request that, when executed by an authenticated administrator (e.g., by clicking a link), causes unauthorized changes to plugin settings or injection of malicious scripts. This can lead to persistent cross-site scripting (XSS) or other malicious behaviors within the WordPress environment. The vulnerability does not require the attacker to be authenticated but does require user interaction from an administrator, making social engineering a key vector. The CVSS 3.1 base score is 6.1, indicating a medium severity with network attack vector, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality and integrity but not availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. Given the plugin’s role in URL shortening, attackers could manipulate URL redirection or tracking settings, potentially facilitating further attacks or phishing campaigns.

The impact of this vulnerability is significant for organizations using the djerba WP URL Shortener plugin on WordPress sites, especially those with multiple administrators or high-value content. Successful exploitation allows attackers to alter plugin settings without authorization, potentially redirecting users to malicious sites, injecting malicious scripts, or compromising site integrity. This can lead to data leakage, loss of trust, defacement, or further malware distribution. Since WordPress powers a large portion of the web, including many business and government sites, the scope is broad. The requirement for administrator interaction limits exploitation somewhat but does not eliminate risk, particularly in environments where administrators may be targeted with phishing or social engineering. The vulnerability could also be leveraged as a foothold for more advanced attacks within compromised WordPress installations. Although availability is not impacted, the confidentiality and integrity of site data and user interactions are at risk.

To mitigate this vulnerability, organizations should first check for and apply any official patches or updates from the djerba WP URL Shortener plugin developer once available. In the absence of patches, administrators should consider temporarily disabling or uninstalling the plugin to eliminate exposure. Implementing strict administrative access controls and educating administrators about phishing and social engineering risks can reduce the likelihood of exploitation. Additionally, applying Web Application Firewall (WAF) rules to detect and block suspicious POST requests targeting the 'url_shortener_settings' page can provide a layer of defense. Site owners should also ensure that WordPress core and all plugins are kept up to date and consider using security plugins that enforce nonce validation or monitor for CSRF attempts. Regular security audits and monitoring for unusual administrative activity can help detect exploitation attempts early.