CVE-2025-9618 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Related Posts Lite plugin for WordPress, developed by wpdreams. This vulnerability exists in all versions up to and including 1.12 due to missing or incorrect nonce validation on the plugin's settings update functionality. Nonces in WordPress are security tokens used to verify that a request to perform an action originates from a legitimate user and not from an attacker. The absence or improper implementation of nonce validation allows an unauthenticated attacker to craft a malicious request that, when executed by an authenticated site administrator (e.g., by clicking a link or visiting a malicious webpage), can modify the plugin’s settings without authorization. This attack vector requires user interaction but no prior authentication, making it a significant risk especially on administrative interfaces. The vulnerability impacts the integrity of the plugin’s configuration but does not directly affect confidentiality or availability. The CVSS 3.1 base score is 4.3 (medium severity), reflecting the ease of exploitation (network vector, low attack complexity, no privileges required, but user interaction needed) and limited impact (integrity only). No known exploits are currently reported in the wild. The vulnerability was published on August 30, 2025, and remains unpatched as no patch links are provided. Given the widespread use of WordPress and its plugins, this vulnerability could be leveraged to alter site behavior, potentially enabling further attacks or misconfigurations if exploited.

For European organizations using WordPress sites with the Related Posts Lite plugin, this vulnerability poses a moderate risk. An attacker could manipulate plugin settings to alter the display or behavior of related posts, potentially redirecting users to malicious content or degrading user experience. While the direct impact on confidentiality and availability is minimal, the integrity compromise could facilitate social engineering or phishing campaigns by modifying content shown to visitors. Organizations with high-traffic WordPress sites, especially those with multiple administrators, are at greater risk since an attacker needs to trick an admin into performing an action. This could affect sectors such as media, e-commerce, education, and government websites that rely on WordPress for content management. The lack of a patch means organizations must rely on mitigation strategies until an official fix is released. Failure to address this vulnerability could lead to reputational damage, loss of user trust, and potential compliance issues under regulations like GDPR if user data is indirectly affected through manipulated content or links.

1. Immediate mitigation involves restricting administrative access to trusted networks or VPNs to reduce exposure to CSRF attacks. 2. Implement web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the plugin’s settings endpoints. 3. Educate site administrators about the risk of clicking on untrusted links or visiting unknown websites while logged into the WordPress admin panel. 4. Temporarily disable or deactivate the Related Posts Lite plugin if it is not critical to site operations until a patch is available. 5. Monitor WordPress logs for unusual POST requests to the plugin’s settings URLs, which may indicate exploitation attempts. 6. Follow the vendor’s updates closely and apply patches promptly once released. 7. Consider using security plugins that add additional CSRF protections or nonce validation layers to WordPress plugins. 8. Conduct regular security audits and penetration testing focusing on administrative interfaces to detect similar vulnerabilities.