{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12578", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-31T21:11:34.927Z", "datePublished": "2025-11-27T02:26:12.191Z", "dateUpdated": "2026-04-08T16:35:30.304Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:35:30.304Z"}, "affected": [{"vendor": "rnags", "product": "Reuters Direct", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Reuters Direct plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.0. This is due to missing or incorrect nonce validation on the the 'class-reuters-direct-settings.php' page. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Reuters Direct <= 3.0.0 - Cross-Site Request Forgery to Settings Reset", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0e98a899-1578-45bf-ba1d-92703e38abd9?source=cve"}, {"url": "https://wordpress.org/plugins/reuters-direct/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "timeline": [{"time": "2025-11-26T14:20:46.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-28T14:39:42.477092Z", "id": "CVE-2025-12578", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-28T19:34:10.772Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12578", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-28T14:39:42.477092Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-28T14:39:43.194Z"}}], "cna": {"title": "Reuters Direct <= 3.0.0 - Cross-Site Request Forgery to Settings Reset", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "rnags", "product": "Reuters Direct", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.0.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-26T14:20:46.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0e98a899-1578-45bf-ba1d-92703e38abd9?source=cve"}, {"url": "https://wordpress.org/plugins/reuters-direct/"}], "descriptions": [{"lang": "en", "value": "The Reuters Direct plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.0. This is due to missing or incorrect nonce validation on the the 'class-reuters-direct-settings.php' page. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:35:30.304Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12578", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:35:30.304Z", "dateReserved": "2025-10-31T21:11:34.927Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-27T02:26:12.191Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Reuters Direct plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.0. This is due to missing or incorrect nonce validation on the the 'class-reuters-direct-settings.php' page. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-12578", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-27T03:15:57.150", "references": [{"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/reuters-direct/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0e98a899-1578-45bf-ba1d-92703e38abd9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T21:02:12.087741+00:00", "value": {"mitigation_remediation": ["Update the Reuters Direct plugin to the latest available version that addresses the CSRF issue.", "Restrict access to the WordPress administration area to trusted IP addresses or enforce two\u2011factor authentication to reduce the chance that an administrator follows a malicious link.", "Add or restore proper nonce validation on the plugin\u2019s settings page, or patch the source code to enforce CSRF protection."], "summary": {"action": "Assess Impact", "impact": "Unauthenticated attackers can reset the Reuters Direct plugin settings via CSRF, potentially disrupting site configuration and operations"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all versions of the Reuters Direct plugin for WordPress up to and including 3.0.0.", "description_and_impact": "The Reuters Direct plugin for WordPress suffers from a missing or incorrectly implemented nonce check on its settings page, enabling a cross\u2011site request forgery attack. An unauthenticated attacker can craft a forged request that, when a site administrator clicks a link or performs an action, forces the plugin to reset its configuration to defaults. This vulnerability does not allow code execution but can lead to unintended configuration changes that may impair the site\u2019s functionality.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate risk. The EPSS score of less than 1% suggests a very low likelihood of exploitation, and the vulnerability is not listed in CISA\u2019s KEV catalog. Likely attack vectors involve social engineering whereby an attacker induces an administrator to click a malicious link; this requires the target to be logged into the admin interface and does not require any additional privileges."}}}}, "created": "2025-11-27T16:26:33.014666+00:00", "updated": "2026-04-22T21:15:27.674127+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}