{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-10375", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-12T15:42:42.324Z", "datePublished": "2025-10-11T09:28:42.013Z", "dateUpdated": "2026-04-08T17:29:26.514Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:29:26.514Z"}, "affected": [{"vendor": "accessibewp", "product": "Web Accessibility by accessiBe", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.10", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Web Accessibility By accessiBe plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.10. This is due to missing nonce validation on multiple AJAX actions including accessibe_signup, accessibe_login, accessibe_license_trial, accessibe_modify_config, and accessibe_add_verification_page. This makes it possible for unauthenticated attackers to modify plugin settings and create verification files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Web Accessibility By accessiBe <= 2.10 - Cross-Site Request Forgery", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e3aac40c-1576-45b5-90f8-14ff05c089c7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/accessibe/tags/2.7/class.accessibeforwp.php#L273"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3376235%40accessibe&new=3376235%40accessibe&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Moose Love"}], "timeline": [{"time": "2025-10-10T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-14T18:31:53.221319Z", "id": "CVE-2025-10375", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-14T18:44:50.500Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-10375", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-14T18:31:53.221319Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-14T18:31:54.089Z"}}], "cna": {"title": "Web Accessibility By accessiBe <= 2.10 - Cross-Site Request Forgery", "credits": [{"lang": "en", "type": "finder", "value": "Moose Love"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "accessibewp", "product": "Web Accessibility by accessiBe", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.10"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-10T00:00:00.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e3aac40c-1576-45b5-90f8-14ff05c089c7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/accessibe/tags/2.7/class.accessibeforwp.php#L273"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3376235%40accessibe&new=3376235%40accessibe&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Web Accessibility By accessiBe plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.10. This is due to missing nonce validation on multiple AJAX actions including accessibe_signup, accessibe_login, accessibe_license_trial, accessibe_modify_config, and accessibe_add_verification_page. This makes it possible for unauthenticated attackers to modify plugin settings and create verification files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-10-11T09:28:42.013Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10375", "state": "PUBLISHED", "dateUpdated": "2025-10-14T18:44:50.500Z", "dateReserved": "2025-09-12T15:42:42.324Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-11T09:28:42.013Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Web Accessibility By accessiBe plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.10. This is due to missing nonce validation on multiple AJAX actions including accessibe_signup, accessibe_login, accessibe_license_trial, accessibe_modify_config, and accessibe_add_verification_page. This makes it possible for unauthenticated attackers to modify plugin settings and create verification files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-10375", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-11T10:15:42.310", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/accessibe/tags/2.7/class.accessibeforwp.php#L273"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3376235%40accessibe&new=3376235%40accessibe&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e3aac40c-1576-45b5-90f8-14ff05c089c7?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T02:23:00.967304+00:00", "value": {"mitigation_remediation": ["Upgrade the accessiBe Web Accessibility plugin to a version newer than 2.10, ensuring the blocked CSRF flaw is removed.", "If an immediate update is not feasible, restrict the vulnerable AJAX endpoints by adding nonce checks or limiting access to authenticated administrators only\u2014this can be achieved with custom code or a suitable WordPress security plugin that enforces request validation.", "Implement a web application firewall or security plugin that monitors and blocks suspicious POST requests to the AJAX actions listed above, reducing the likelihood that forged requests reach the server."], "summary": {"action": "Patch Immediately", "impact": "Cross-Site Request Forgery that allows unauthenticated users to alter plugin settings and create verification files"}, "threat_synthesis": {"affected_systems": "The affected system is the accessiBe Web Accessibility plugin for WordPress, inclusively all releases up to and including version 2.10. Users running these versions should review their installations to confirm the plugin version and ensure they are not using the compromised code. No other WordPress core or plugin components are reported to be impacted.", "description_and_impact": "The Web Accessibility By accessiBe WordPress plugin suffers a CSRF flaw in versions 2.10 and earlier due to the omission of nonce validation on several AJAX endpoints such as accessibe_signup, accessibe_login, accessibe_license_trial, accessibe_modify_config, and accessibe_add_verification_page. Because the requests can be forged without user credentials, an attacker can cause a site administrator to execute actions that change plugin configuration or add verification files with unauthorized content. This directly compromises the integrity of the plugin settings and could be leveraged to introduce malicious code into the site. The weakness is a traditional Cross\u2011Site Request Forgery (CWE\u2011352).", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The flaw requires no authentication, but it does rely on an administrator clicking a forged link or button, making attackers typically employ social engineering or phishing to trigger the vulnerable AJAX requests. While the vulnerability is not yet listed in CISA\u2019s KEV catalog, the potential for undetected exploitation remains. Organizations should consider the risk especially if they rely heavily on the accessiBe plugin for website accessibility compliance."}}}}, "created": "2025-10-20T16:15:03.900237+00:00", "updated": "2026-04-21T02:30:25.830002+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}