CVE-2025-9618 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Related Posts Lite plugin for WordPress, developed by wpdreams. This vulnerability exists in all versions up to and including 1.12 due to missing or incorrect nonce validation on the plugin's settings update functionality. Nonces are security tokens used to validate that a request to change settings originates from a legitimate user action within the site interface. The absence or improper implementation of nonce validation allows an unauthenticated attacker to craft a malicious request that, when executed by an authenticated site administrator (for example, by clicking a specially crafted link), can modify the plugin’s settings without the administrator’s explicit consent. This attack vector requires user interaction but no prior authentication, making it a classic CSRF scenario. The vulnerability is rated with a CVSS 3.1 base score of 4.3 (medium severity), reflecting that the attack can be launched remotely over the network with low complexity and no privileges but requires user interaction. The impact primarily affects the integrity of the plugin’s configuration, potentially leading to unauthorized changes that could degrade site functionality or open further attack vectors if the altered settings enable unsafe behaviors. There is no indication of known exploits in the wild at this time, and no official patches have been linked yet. The vulnerability is categorized under CWE-352, emphasizing the importance of proper anti-CSRF protections in web applications and plugins.

For European organizations using WordPress websites with the Related Posts Lite plugin, this vulnerability poses a moderate risk. Successful exploitation could allow attackers to alter plugin settings, potentially disrupting website content presentation or enabling further malicious activities such as redirecting users, injecting malicious content, or weakening other security controls. Since WordPress is widely used across Europe for corporate, governmental, and small business websites, the integrity of site configurations is critical. Altered plugin settings might also affect user trust and compliance with data protection regulations like GDPR if the changes lead to unauthorized data exposure or tracking. Although the vulnerability does not directly compromise confidentiality or availability, the integrity impact and the possibility of chained attacks increase the threat level. The requirement for user interaction (an administrator clicking a malicious link) somewhat limits the attack surface but does not eliminate risk, especially in environments where administrators may be targeted by phishing or social engineering campaigns.

European organizations should immediately audit their WordPress installations to identify the presence of the Related Posts Lite plugin, particularly versions up to 1.12. Until an official patch is released, administrators should implement the following mitigations: 1) Restrict administrative access to trusted networks and use multi-factor authentication to reduce the risk of compromised admin accounts being exploited via CSRF. 2) Educate administrators about phishing and social engineering risks to prevent inadvertent clicking on malicious links. 3) Employ Web Application Firewalls (WAFs) with rules to detect and block suspicious POST requests targeting plugin settings endpoints. 4) Temporarily disable or remove the Related Posts Lite plugin if it is not essential, or replace it with alternative plugins that have proper CSRF protections. 5) Monitor logs for unusual configuration changes or access patterns. 6) Follow closely for official patches or updates from the vendor and apply them promptly once available. 7) Implement Content Security Policy (CSP) headers to reduce the risk of malicious external content influencing admin sessions.