{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12070", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-22T13:56:26.427Z", "datePublished": "2025-11-04T03:26:45.215Z", "dateUpdated": "2026-04-08T16:32:25.505Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:32:25.505Z"}, "affected": [{"vendor": "viaads", "product": "ViaAds", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.1.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The ViaAds plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.2. This is due to missing nonce validation on the `ViaAds_pluginHandler` function. This makes it possible for unauthenticated attackers to modify the plugin's API key and cookie consent settings via a forged request granted they can trick an administrator into performing an action such as clicking on a link."}], "title": "ViaAds <= 2.1.2 - Cross-Site Request Forgery to API Key Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/00f65117-e8f7-41d8-bdf4-c1fab03e4792?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/viaads/tags/2.1.1/apikey.php#L81"}, {"url": "https://plugins.trac.wordpress.org/changeset/3395777/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "timeline": [{"time": "2025-11-03T15:18:27.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-04T18:50:02.394814Z", "id": "CVE-2025-12070", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-04T18:50:13.151Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12070", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-04T18:50:02.394814Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-04T18:50:07.879Z"}}], "cna": {"title": "ViaAds <= 2.1.2 - Cross-Site Request Forgery to API Key Update", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "viaads", "product": "ViaAds", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.1.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-03T15:18:27.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/00f65117-e8f7-41d8-bdf4-c1fab03e4792?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/viaads/tags/2.1.1/apikey.php#L81"}, {"url": "https://plugins.trac.wordpress.org/changeset/3395777/"}], "descriptions": [{"lang": "en", "value": "The ViaAds plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.2. This is due to missing nonce validation on the `ViaAds_pluginHandler` function. This makes it possible for unauthenticated attackers to modify the plugin's API key and cookie consent settings via a forged request granted they can trick an administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:32:25.505Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12070", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:32:25.505Z", "dateReserved": "2025-10-22T13:56:26.427Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-04T03:26:45.215Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The ViaAds plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.2. This is due to missing nonce validation on the `ViaAds_pluginHandler` function. This makes it possible for unauthenticated attackers to modify the plugin's API key and cookie consent settings via a forged request granted they can trick an administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-12070", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-04T04:15:37.433", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/viaads/tags/2.1.1/apikey.php#L81"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3395777/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/00f65117-e8f7-41d8-bdf4-c1fab03e4792?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T21:22:19.627678+00:00", "value": {"mitigation_remediation": ["Update the ViaAds plugin to a version newer than 2.1.2, which includes proper nonce validation.", "Restrict access to WordPress administrative pages to trusted users and enable two\u2011factor authentication for admin accounts.", "Verify that API key and cookie consent changes are protected by CSRF tokens; disable direct modification of the API key if it is not required."], "summary": {"action": "Update plugin", "impact": "Unauthorized configuration change via CSRF"}, "threat_synthesis": {"affected_systems": "The ViaAds plugin for WordPress, all releases up to and including version 2.1.2, is affected.", "description_and_impact": "The ViaAds WordPress plugin allows an unauthenticated user to perform a Cross\u2011Site Request Forgery against the ViaAds_pluginHandler function due to missing nonce validation. This flaw lets an attacker change the plugin's API key and cookie consent settings if an administrator clicks a forged request. The attack results in an unauthorized configuration change that could affect data transfer or tracking on the site.", "risk_and_exploitability": "The CVSS score of 4.3 reflects a moderate risk, with exploitation requiring an attacker to convince an administrator to conduct a forged request. Because the EPSS score is less than 1%, the current probability of exploitation is low, and the vulnerability is not yet listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker must trick an admin into clicking a link to trigger the change."}}}}, "created": "2025-11-04T16:33:17.807817+00:00", "updated": "2026-04-22T21:30:27.817978+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}