{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12587", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-31T22:27:24.251Z", "datePublished": "2025-11-25T07:28:27.819Z", "dateUpdated": "2026-04-08T17:35:27.058Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:35:27.058Z"}, "affected": [{"vendor": "webgarh", "product": "Peer Publish", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Peer Publish plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the website management pages. This makes it possible for unauthenticated attackers to add, modify, or delete website configurations via a forged request granted they can trick an administrator into performing an action such as clicking on a link."}], "title": "Peer Publish <= 1.0 - Cross-Site Request Forgery", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fffa6c31-8da0-48d7-b603-64f50950787b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/peer-publish/tags/1.0/admin/admin-pages/newwebsite.php#L17"}, {"url": "https://plugins.trac.wordpress.org/browser/peer-publish/tags/1.0/admin/admin-pages/websites.php#L20"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "dayea song"}], "timeline": [{"time": "2025-11-24T19:07:03.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-25T14:23:26.432809Z", "id": "CVE-2025-12587", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-25T14:23:55.289Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12587", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-25T14:23:26.432809Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-25T14:23:48.687Z"}}], "cna": {"title": "Peer Publish <= 1.0 - Cross-Site Request Forgery", "credits": [{"lang": "en", "type": "finder", "value": "dayea song"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "webgarh", "product": "Peer Publish", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-24T19:07:03.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fffa6c31-8da0-48d7-b603-64f50950787b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/peer-publish/tags/1.0/admin/admin-pages/newwebsite.php#L17"}, {"url": "https://plugins.trac.wordpress.org/browser/peer-publish/tags/1.0/admin/admin-pages/websites.php#L20"}], "descriptions": [{"lang": "en", "value": "The Peer Publish plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the website management pages. This makes it possible for unauthenticated attackers to add, modify, or delete website configurations via a forged request granted they can trick an administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:35:27.058Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12587", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:35:27.058Z", "dateReserved": "2025-10-31T22:27:24.251Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-25T07:28:27.819Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Peer Publish plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the website management pages. This makes it possible for unauthenticated attackers to add, modify, or delete website configurations via a forged request granted they can trick an administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-12587", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-25T08:15:48.913", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/peer-publish/tags/1.0/admin/admin-pages/newwebsite.php#L17"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/peer-publish/tags/1.0/admin/admin-pages/websites.php#L20"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fffa6c31-8da0-48d7-b603-64f50950787b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T01:18:01.813666+00:00", "value": {"mitigation_remediation": ["Apply the latest Peer Publish plugin update, any version above 1.0, which removes the CSRF vulnerability", "If an update cannot be deployed immediately, disable or secure the website management pages or block access to them for unauthenticated or non\u2011admin users", "Implement or enforce WordPress nonce checks on all forms handling configuration changes to ensure every state\u2011changing request is validated"], "summary": {"action": "Immediate Patching", "impact": "Cross\u2011Site Request Forgery that permits unauthenticated modification of WordPress site configurations when an administrator clicks a forged link"}, "threat_synthesis": {"affected_systems": "All installations of the Peer Publish WordPress plugin version 1.0 and earlier. The vulnerability resides in the website management admin pages accessed by site administrators.", "description_and_impact": "The Peer Publish plugin suffers from a CSRF flaw due to missing nonce validation on its admin pages. When an attacker can lunge an authenticated administrator into clicking a crafted link, the admin can add, change, or delete website configuration settings without entering any credentials. This flaw enables an attacker to alter or destroy site setup information that could affect multiple hosted sites.", "risk_and_exploitability": "With a CVSS score of 4.3, the flaw is classified as moderate severity. The EPSS score of less than 1% indicates a low probability of exploitation at present, and the vulnerability is not in the CISA KEV catalog. Exploitation requires that an administrator be tricked into executing a forged request while an authenticated session is active; otherwise, the request is rejected due to the absence of a nonce."}}}}, "created": "2025-11-26T11:10:41.412600+00:00", "updated": "2026-04-21T01:30:24.386124+00:00", "vendors": ["webgarh", "webgarh$PRODUCT$peer_publish", "wordpress", "wordpress$PRODUCT$wordpress"]}