The WPeMatico RSS Feed Fetcher plugin for WordPress suffers from a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2025-8103. This vulnerability exists in all versions up to and including 2.8.7 due to the absence of nonce validation in the handle_feedback_submission() function. Nonces are security tokens used to verify that requests originate from legitimate users and prevent unauthorized actions. Without this validation, an attacker can craft a malicious request that, when executed by a logged-in administrator (e.g., by clicking a link), causes the plugin to be deactivated. This attack does not require the attacker to be authenticated but does require user interaction from an administrator. The vulnerability impacts the availability of the plugin’s functionality, potentially disrupting automated RSS feed fetching and related workflows. The CVSS v3.1 base score is 4.3, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, user interaction required, and impact limited to availability. No patches or known exploits are currently reported, but the risk remains significant for sites relying on this plugin. The vulnerability is classified under CWE-352, which covers CSRF attacks that exploit the trust a web application places in a user’s browser.

This vulnerability primarily affects the availability of the WPeMatico plugin by allowing attackers to deactivate it remotely through CSRF attacks. For organizations relying on this plugin to automate RSS feed fetching and content aggregation, successful exploitation could disrupt content updates, impacting website functionality and user experience. Although the vulnerability does not directly compromise confidentiality or integrity, the loss of plugin functionality could affect business operations, especially for content-driven sites. Since exploitation requires user interaction from an administrator, the risk is somewhat mitigated, but social engineering techniques could increase the likelihood of successful attacks. The lack of authentication requirement broadens the attacker base, making any WordPress site using this plugin vulnerable. The absence of known exploits in the wild suggests limited current exploitation but does not preclude future attacks. Organizations with high dependency on this plugin or those with high-value content sites are at greater risk of operational disruption.

1. Immediately update the WPeMatico RSS Feed Fetcher plugin to a version that includes nonce validation once available from the vendor. 2. Until a patch is released, implement web application firewall (WAF) rules to detect and block suspicious POST requests targeting the handle_feedback_submission() endpoint. 3. Educate site administrators about the risks of clicking on unsolicited links, especially those that could trigger administrative actions. 4. Restrict administrative access to trusted networks or use multi-factor authentication to reduce the risk of compromised administrator sessions. 5. Regularly audit installed plugins and remove or replace those no longer maintained or with known vulnerabilities. 6. Monitor WordPress logs for unusual plugin deactivation events to detect potential exploitation attempts early. 7. Consider isolating critical WordPress administrative interfaces behind VPNs or IP whitelisting to reduce exposure to CSRF attacks.