CVE-2025-9618 is a medium severity vulnerability classified as CWE-352 (Cross-Site Request Forgery) found in the Related Posts Lite WordPress plugin developed by wpdreams. This vulnerability affects all versions up to and including 1.12. The root cause is the absence or incorrect implementation of nonce validation on the settings update functionality within the plugin. Nonces in WordPress are security tokens used to verify that requests to change settings or perform sensitive actions originate from legitimate users and not from forged requests. Due to this missing protection, an unauthenticated attacker can craft a malicious URL or form that, when visited or submitted by an authenticated site administrator, causes the plugin settings to be modified without the administrator's consent. This attack requires user interaction, specifically that an administrator clicks on or otherwise triggers the malicious request. The impact is limited to integrity, as attackers can alter plugin configurations, potentially enabling further attacks or disrupting site behavior. Confidentiality and availability are not directly affected. The vulnerability has a CVSS v3.1 base score of 4.3, reflecting its moderate risk level. No public exploits or active exploitation campaigns have been reported as of the publication date. The vulnerability was reserved on August 28, 2025, and published on August 30, 2025. No official patches have been linked yet, so mitigation relies on administrative caution and potential plugin updates.

The primary impact of CVE-2025-9618 is unauthorized modification of the Related Posts Lite plugin settings by attackers who can trick site administrators into performing actions on malicious links or pages. This can lead to configuration changes that may degrade website functionality, introduce security weaknesses, or enable further exploitation vectors such as redirecting users to malicious sites or disabling security features. Since the vulnerability does not affect confidentiality or availability directly, the risk is mainly to the integrity of the website's configuration. However, compromised plugin settings can indirectly facilitate broader attacks or site defacement. Organizations relying on this plugin for content management and user engagement may experience disruptions or reputational damage if exploited. The requirement for administrator interaction limits the ease of exploitation but does not eliminate risk, especially in environments where administrators may be targeted with phishing or social engineering. The absence of known exploits reduces immediate threat but vigilance is necessary given the widespread use of WordPress and its plugins globally.

1. Immediately monitor for updates from the wpdreams development team and apply any released patches addressing this vulnerability. 2. Until an official patch is available, restrict administrator access to trusted personnel and educate them about the risks of clicking unknown or suspicious links. 3. Implement web application firewalls (WAFs) with rules to detect and block suspicious CSRF attempts targeting the plugin’s settings endpoints. 4. Use security plugins that enforce nonce validation or add additional CSRF protections as a temporary workaround. 5. Regularly audit plugin configurations and logs for unauthorized changes. 6. Employ multi-factor authentication (MFA) for administrator accounts to reduce the risk of compromised credentials being leveraged in conjunction with CSRF. 7. Limit the number of administrators and ensure they follow best security practices to minimize the attack surface. 8. Consider disabling or replacing the Related Posts Lite plugin with alternatives that have verified security controls if patching is delayed.