Menu

CVE-2025-4337 β€” Cross-Site Request Forgery (CSRF)

WordPress Plugin AHAthat β€” Discovered by Seckhmet

Vulnerability Information

CVE IDCVE-2025-4337
TypeCross-Site Request Forgery (CSRF)
Affected ComponentWordPress Plugin AHAthat
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVSS Score4.3 β€” Medium
Discovered bySeckhmet

Description

A Cross-Site Request Forgery (CSRF) vulnerability was identified in the WordPress plugin AHAthat. This flaw allows an unauthenticated attacker to trigger unauthorized actions on behalf of a legitimate user, by tricking them into visiting a malicious page or clicking a crafted link.

The attack vector is network (AV:N), requires no privileges (PR:N) but needs user interaction (UI:R). Impact is limited to integrity (I:L) with no effect on confidentiality or availability.

CVSS Analysis

  • AV:N β€” Network vector: remotely exploitable
  • AC:L β€” Low complexity: no special conditions required
  • PR:N β€” No prior privileges needed
  • UI:R β€” User interaction required
  • S:U β€” Unchanged scope
  • C:N / I:L / A:N β€” Limited impact on integrity

Recommendations

Update the AHAthat plugin to the patched version as soon as available. In the meantime, disable the plugin or restrict access to the affected features. Implement CSRF tokens on all sensitive actions on the developer side.