{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-10300", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-11T21:07:45.739Z", "datePublished": "2025-10-15T08:25:57.866Z", "dateUpdated": "2026-04-08T17:06:21.479Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:06:21.479Z"}, "affected": [{"vendor": "fmeaddons", "product": "TopBar", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The TopBar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the fme_nb_topbar_save_settings() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "TopBar <= 1.0.0 - Cross-Site Request Forgery to Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8e68cb68-45ab-4c2f-a105-1ef01da42453?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/topbar/trunk/admin/class-fme-nb-topbaradmin.php#L38"}, {"url": "https://plugins.trac.wordpress.org/browser/topbar/trunk/admin/class-fme-nb-topbaradmin.php#L131"}, {"url": "https://wordpress.org/plugins/topbar/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "jason carle"}], "timeline": [{"time": "2025-10-14T19:36:56.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-15T14:30:59.917830Z", "id": "CVE-2025-10300", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-15T14:31:10.697Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-10300", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-15T14:30:59.917830Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-15T14:31:06.207Z"}}], "cna": {"title": "TopBar <= 1.0.0 - Cross-Site Request Forgery to Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "jason carle"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "fmeaddons", "product": "TopBar", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.0.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-14T19:36:56.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8e68cb68-45ab-4c2f-a105-1ef01da42453?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/topbar/trunk/admin/class-fme-nb-topbaradmin.php#L38"}, {"url": "https://plugins.trac.wordpress.org/browser/topbar/trunk/admin/class-fme-nb-topbaradmin.php#L131"}, {"url": "https://wordpress.org/plugins/topbar/"}], "descriptions": [{"lang": "en", "value": "The TopBar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the fme_nb_topbar_save_settings() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-10-15T08:25:57.866Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10300", "state": "PUBLISHED", "dateUpdated": "2025-10-15T14:31:10.697Z", "dateReserved": "2025-09-11T21:07:45.739Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-15T08:25:57.866Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The TopBar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the fme_nb_topbar_save_settings() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-10300", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-15T09:15:39.400", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/topbar/trunk/admin/class-fme-nb-topbaradmin.php#L131"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/topbar/trunk/admin/class-fme-nb-topbaradmin.php#L38"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/topbar/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8e68cb68-45ab-4c2f-a105-1ef01da42453?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T13:04:47.891328+00:00", "value": {"mitigation_remediation": ["Upgrade the TopBar plugin to the latest release that adds proper nonce validation for settings updates.", "If a quick upgrade is not possible, temporarily disable the settings update endpoint or enforce a custom nonce check by editing the plugin\u2019s admin file or applying an .htaccess rule that blocks requests lacking the required nonce value.", "Apply a site\u2011wide CSRF mitigation such as a security plugin or CSP that forces nonce validation on all state\u2011changing requests to ensure future changes cannot be performed without a valid token."], "summary": {"action": "Patch", "impact": "Cross\u2011Site Request Forgery enabling unauthenticated plugin settings modification"}, "threat_synthesis": {"affected_systems": "The issue exists in all releases of the TopBar WordPress plugin up to and including version 1.0.0, distributed under the fmeaddons TopBar package. No other vendors or products are listed as affected.", "description_and_impact": "This vulnerability arises from missing or incorrect nonce validation in the TopBar plugin\u2019s settings save function. Because a nonce is not checked, an attacker can construct a forged request that, when performed by a site administrator, changes the plugin\u2019s configuration. The flaw is a classic CSRF weakness identified as CWE\u2011352 and permits modification of configuration without authentication.", "risk_and_exploitability": "The CVSS score of 4.3 places the vulnerability in the low to moderate range, while the EPSS score of <1% indicates a very low probability of exploitation. The attack requires an unauthenticated attacker to coerce an administrator into visiting a crafted link or form, making it a social\u2011engineering type threat. The vulnerability is not listed in CISA\u2019s KEV catalog."}}}}, "created": "2025-10-20T13:26:53.320288+00:00", "updated": "2026-04-22T13:15:17.842404+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}