CVE-2025-9945 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress plugin Optimize More! – CSS, maintained by aryadhiratara. The vulnerability exists in all versions up to and including 1.0.3 due to missing or incorrect nonce validation on the reset_plugin function. Nonces in WordPress are security tokens used to verify that requests originate from legitimate users and prevent CSRF attacks. Without proper nonce validation, an attacker can craft a malicious web request that, when executed by an authenticated administrator (e.g., by clicking a link), triggers the reset_plugin function. This action resets the plugin's optimization settings without the administrator's consent. Although the attacker does not require authentication, the attack depends on social engineering to induce an administrator to perform the action, making user interaction necessary. The vulnerability impacts the integrity of the plugin's configuration but does not expose sensitive data or cause denial of service. The CVSS 3.1 base score of 4.3 reflects the network attack vector, low attack complexity, no privileges required, but requiring user interaction and limited impact on integrity only. No patches or exploits are currently publicly available, but the risk remains for sites using the affected plugin versions. The vulnerability is classified under CWE-352, a common web security weakness related to CSRF.

The primary impact of this vulnerability is on the integrity of the affected WordPress plugin's configuration. An attacker who successfully exploits this flaw can reset the optimization settings of the Optimize More! – CSS plugin, potentially degrading website performance or undoing security or performance enhancements configured by administrators. While this does not directly compromise confidentiality or availability, altered plugin settings could indirectly affect site behavior, user experience, or security posture. For organizations relying on this plugin for CSS optimization, unauthorized resets could lead to increased page load times or other performance regressions, possibly affecting SEO rankings or user satisfaction. Since exploitation requires tricking an administrator, the risk is higher in environments where administrators frequently interact with untrusted content. The vulnerability does not allow code execution or data leakage, limiting its severity but still posing a notable risk to site integrity and operational stability.

To mitigate this vulnerability, organizations should first check if an updated version of the Optimize More! – CSS plugin is available that includes proper nonce validation on the reset_plugin function and upgrade immediately. If no patch is available, administrators should consider temporarily disabling the plugin or restricting administrative access to trusted networks to reduce exposure. Implementing web application firewalls (WAFs) with rules to detect and block CSRF attack patterns targeting the reset_plugin endpoint can provide additional protection. Educate site administrators about the risks of clicking untrusted links, especially while logged into WordPress admin panels. Additionally, site owners can implement custom nonce validation or add CSRF tokens manually to the plugin's reset functionality if they have development resources. Regularly monitoring plugin activity logs for unexpected resets can help detect exploitation attempts early. Finally, maintaining a robust backup strategy ensures quick recovery if unauthorized changes occur.