{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-10312", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-11T23:20:26.471Z", "datePublished": "2025-10-15T08:25:58.231Z", "dateUpdated": "2026-04-08T17:09:36.630Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:09:36.630Z"}, "affected": [{"vendor": "steve-forster", "product": "Theme Importer", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Theme Importer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation when processing form submissions in the theme-importer.php file. This makes it possible for unauthenticated attackers to trigger arbitrary file downloads and potentially execute malicious operations via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Theme Importer <= 1.0 - Cross-Site Request Forgery", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9316796b-312f-4562-b92f-7de0129e4163?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/theme-importer/trunk/theme-importer.php#L71"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "timeline": [{"time": "2025-10-14T19:46:46.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-15T14:29:18.815946Z", "id": "CVE-2025-10312", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-15T14:29:27.032Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-10312", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-15T14:29:18.815946Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-15T14:29:23.794Z"}}], "cna": {"title": "Theme Importer <= 1.0 - Cross-Site Request Forgery", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "steve-forster", "product": "Theme Importer", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-14T19:46:46.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9316796b-312f-4562-b92f-7de0129e4163?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/theme-importer/trunk/theme-importer.php#L71"}], "descriptions": [{"lang": "en", "value": "The Theme Importer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation when processing form submissions in the theme-importer.php file. This makes it possible for unauthenticated attackers to trigger arbitrary file downloads and potentially execute malicious operations via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:09:36.630Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10312", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:09:36.630Z", "dateReserved": "2025-09-11T23:20:26.471Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-15T08:25:58.231Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Theme Importer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation when processing form submissions in the theme-importer.php file. This makes it possible for unauthenticated attackers to trigger arbitrary file downloads and potentially execute malicious operations via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-10312", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-15T09:15:40.183", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/theme-importer/trunk/theme-importer.php#L71"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9316796b-312f-4562-b92f-7de0129e4163?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T13:04:25.079492+00:00", "value": {"mitigation_remediation": ["Upgrade Theme Importer to the latest available version to remove the nonce validation flaw.", "If an update is not available immediately, disable or delete the Theme Importer plugin until a patch is released.", "Apply additional CSRF protection, such as a web application firewall or a plugin that enforces nonce checks on all administrative actions."], "summary": {"action": "Update Plugin", "impact": "Cross\u2011Site Request Forgery"}, "threat_synthesis": {"affected_systems": "The affected system is the WordPress Theme Importer plugin developed by steve\u2011forster. All versions up to and including 1.0 are vulnerable. Sites running any of these versions are at risk until the plugin is updated or removed.", "description_and_impact": "The Plugin is vulnerable to a Cross\u2011Site Request Forgery flaw caused by missing nonce validation when processing form submissions. An unauthenticated attacker can craft a forged request that, if a site administrator unknowingly submits it\u2014such as by clicking a link\u2014triggers arbitrary file downloads or other malicious operations. The weakness is identified as CWE-352. The impact is that an attacker can coerce an administrator into performing actions the attacker wants, potentially leading to unauthorized file access or further exploitation depending on the victim\u2019s role and privileges.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity. The EPSS score of < 1% signals a very low likelihood of widespread exploitation at this time, and the vulnerability is not present in the CISA KEV list. However, because the attack requires the target administrator to perform an action that may not be obvious, the risk remains real for active sites with the plugin installed. Exploitation is possible when an attacker can deliver a malicious link or form to an admin user."}}}}, "created": "2025-10-20T13:26:56.230895+00:00", "updated": "2026-04-22T13:15:17.842000+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}