CVE-2025-9631 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the AutoCatSet plugin for WordPress, developed by the vendor 'gyaku'. This vulnerability exists in all versions up to and including 2.1.4 due to missing or incorrect nonce validation in the autocatset_ajax function. Nonces in WordPress are security tokens used to verify that requests are intentional and originate from legitimate users. The absence or improper implementation of nonce validation allows an unauthenticated attacker to craft a malicious request that, when executed by an authenticated site administrator (e.g., by clicking a link), triggers automatic recategorization of posts without the administrator's consent. This recategorization could alter the organization and classification of content on the website, potentially disrupting content management workflows or misleading site visitors. The vulnerability requires user interaction (the administrator must be tricked into performing an action), does not require authentication by the attacker, and does not affect confidentiality or availability directly but impacts the integrity of the website's content categorization. The CVSS v3.1 base score is 4.3 (medium severity), reflecting the limited impact scope and the need for user interaction. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability is classified under CWE-352, which covers CSRF weaknesses where state-changing requests can be forged by attackers due to missing or incorrect anti-CSRF tokens.

For European organizations using WordPress websites with the AutoCatSet plugin, this vulnerability could lead to unauthorized modification of post categorizations. While this does not directly compromise sensitive data confidentiality or availability, it undermines the integrity of website content management. This could result in misinformation, misclassification of content, or disruption of user navigation and SEO rankings. Organizations relying on accurate content categorization for compliance, customer information, or operational processes may face reputational damage or operational inefficiencies. Since the attack requires an administrator to be tricked into clicking a malicious link, social engineering risks increase. European organizations with public-facing WordPress sites, especially those in sectors like media, e-commerce, or government, where content integrity is critical, are at risk. The medium severity score suggests the threat is moderate but should not be ignored, especially in environments where content accuracy is essential.

To mitigate this vulnerability, European organizations should immediately audit their WordPress installations for the presence of the AutoCatSet plugin and verify the version in use. If the plugin is installed and is version 2.1.4 or earlier, organizations should disable or remove the plugin until an official patch is released. In the absence of a patch, organizations with development resources can implement custom nonce validation in the autocatset_ajax function to ensure that all AJAX requests are properly authenticated and authorized. Additionally, administrators should be trained to recognize phishing attempts and avoid clicking on suspicious links, especially when logged into administrative accounts. Implementing Content Security Policy (CSP) headers to restrict the sources of executable scripts and using web application firewalls (WAFs) to detect and block suspicious requests can provide additional layers of defense. Regular backups of website content and configurations should be maintained to allow quick restoration if unauthorized changes occur. Monitoring logs for unusual recategorization activities can help detect exploitation attempts early.