Skip to main content

CVE-2025-7688: CWE-352 Cross-Site Request Forgery (CSRF) in jason-lau Add User Meta

Medium
VulnerabilityCVE-2025-7688cvecve-2025-7688cwe-352
Published: Fri Aug 15 2025 (08/15/2025, 08:25:38 UTC)
Source: CVE Database V5
Vendor/Project: jason-lau
Product: Add User Meta

Description

The Add User Meta plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the 'add-user-meta' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

AI-Powered Analysis

AILast updated: 08/15/2025, 09:05:28 UTC

Technical Analysis

CVE-2025-7688 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Add User Meta WordPress plugin developed by jason-lau, specifically all versions up to and including 1.0.1. The vulnerability arises due to missing or incorrect nonce validation on the 'add-user-meta' page, which is a security mechanism WordPress uses to verify that requests are legitimate and intended by authenticated users. Because of this flaw, an unauthenticated attacker can craft a malicious request that, if an authenticated site administrator is tricked into clicking (for example, via a phishing email or malicious webpage), can cause the administrator's browser to perform unintended actions on the vulnerable WordPress site. These actions include updating plugin settings and injecting malicious web scripts. The vulnerability has a CVSS 3.1 base score of 6.1, indicating a medium severity level. The attack vector is network-based (remote), requires no privileges, but does require user interaction (the administrator must click a malicious link). The scope is changed, meaning the vulnerability can affect resources beyond the vulnerable component. The impact affects confidentiality and integrity but not availability. No known exploits are currently reported in the wild. The vulnerability is classified under CWE-352, which is a common web security weakness related to CSRF attacks. This vulnerability is significant because it allows attackers to leverage the trust between the administrator's browser and the WordPress site to perform unauthorized actions, potentially leading to persistent malicious code injection or unauthorized configuration changes.

Potential Impact

For European organizations using WordPress sites with the Add User Meta plugin, this vulnerability poses a risk of unauthorized modification of site settings and injection of malicious scripts. This can lead to data leakage, defacement, or further exploitation such as privilege escalation or persistent backdoors. Given that WordPress is widely used across Europe for corporate, governmental, and e-commerce websites, exploitation could disrupt business operations, damage reputations, and lead to regulatory non-compliance, especially under GDPR if personal data is compromised. The requirement for user interaction (administrator clicking a malicious link) means social engineering is a key component of exploitation, which can be facilitated by phishing campaigns targeting European organizations. The vulnerability does not directly impact availability but can compromise the integrity and confidentiality of affected systems. The scope change indicates that the attacker may affect components beyond the plugin itself, increasing potential damage. Although no exploits are known in the wild yet, the medium severity and ease of exploitation without authentication make it a credible threat that should be addressed promptly.

Mitigation Recommendations

1. Immediate update or patching: Although no official patch links are provided, organizations should monitor the plugin vendor's announcements and apply any released patches promptly. 2. Implement manual nonce validation: If patches are unavailable, site administrators or developers should add proper nonce verification to the 'add-user-meta' page to ensure requests are legitimate. 3. Restrict administrative access: Limit administrator access to trusted networks or use VPNs to reduce exposure to phishing attempts. 4. Enhance user awareness: Conduct targeted training for WordPress administrators on phishing and social engineering risks to reduce the likelihood of clicking malicious links. 5. Use Web Application Firewalls (WAFs): Configure WAF rules to detect and block suspicious CSRF attempts or unusual POST requests to the vulnerable plugin endpoints. 6. Monitor logs: Regularly review web server and WordPress logs for unusual activity related to the 'add-user-meta' page or unexpected changes in user meta data. 7. Employ Content Security Policy (CSP): Implement CSP headers to limit the execution of injected scripts, mitigating the impact of script injection. 8. Consider plugin alternatives: Evaluate replacing the Add User Meta plugin with alternatives that have better security track records if patches are delayed.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Wordfence
Date Reserved
2025-07-15T19:03:40.095Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 689ef436ad5a09ad00697342

Added to database: 8/15/2025, 8:47:50 AM

Last enriched: 8/15/2025, 9:05:28 AM

Last updated: 8/18/2025, 1:22:20 AM

Views: 3

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats