{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12827", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-06T19:15:04.869Z", "datePublished": "2025-11-18T08:27:33.413Z", "dateUpdated": "2026-04-08T17:03:44.430Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:03:44.430Z"}, "affected": [{"vendor": "denishua", "product": "Top Friends", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Top Friends plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.3. This is due to missing nonce validation on the top_friends_options_subpanel() function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Top Friends <= 0.3 - Cross-Site Request Forgery to Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8165196d-0117-473f-8ccf-57ffd3e08e16?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/top-friends/tags/0.3/top-friends.php#L155"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ivan Cese"}], "timeline": [{"time": "2025-11-17T20:16:42.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-18T14:40:19.582341Z", "id": "CVE-2025-12827", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-18T14:40:27.921Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12827", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-18T14:40:19.582341Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-18T14:40:24.116Z"}}], "cna": {"title": "Top Friends <= 0.3 - Cross-Site Request Forgery to Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Ivan Cese"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "denishua", "product": "Top Friends", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "0.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-17T20:16:42.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8165196d-0117-473f-8ccf-57ffd3e08e16?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/top-friends/tags/0.3/top-friends.php#L155"}], "descriptions": [{"lang": "en", "value": "The Top Friends plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.3. This is due to missing nonce validation on the top_friends_options_subpanel() function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-11-18T08:27:33.413Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12827", "state": "PUBLISHED", "dateUpdated": "2025-11-18T14:40:27.921Z", "dateReserved": "2025-11-06T19:15:04.869Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-18T08:27:33.413Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Top Friends plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.3. This is due to missing nonce validation on the top_friends_options_subpanel() function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-12827", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-18T09:15:49.287", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/top-friends/tags/0.3/top-friends.php#L155"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8165196d-0117-473f-8ccf-57ffd3e08e16?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T18:17:52.648193+00:00", "value": {"mitigation_remediation": ["Update the Top Friends plugin to the latest available version that includes nonce validation and removes the CSRF vector.", "If an update cannot be applied immediately, deactivate or delete the Top Friends plugin from the WordPress installation to eliminate the attack surface.", "For environments where the plugin must remain active temporarily, implement temporary custom code or a security plugin that enforces nonce checks on the plugin's settings page, ensuring that only valid requests are processed."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized modification of Top Friends plugin settings via CSRF"}, "threat_synthesis": {"affected_systems": "All WordPress sites that have the Top Friends plugin installed \u2013 specifically any version up to and including 0.3. The plugin is distributed by the author denishua and is included in the official WordPress plugin repository.", "description_and_impact": "The Top Friends plugin for WordPress contains a Cross\u2011Site Request Forgery vulnerability in all releases up to and including version 0.3. The flaw stems from missing nonce validation in the top_friends_options_subpanel() function, which allows an unauthenticated attacker to send a forged request that will be accepted by the plugin. Because the affected function updates plugin options, a successful exploit can silently change configuration values that may alter site behavior, compromise user data, or enable other downstream attacks. The weakness is identified as CWE-352, a classic CSRF flaw.", "risk_and_exploitability": "The CVSS score of 4.3 places this vulnerability in the moderate severity range. The EPSS score of less than 1% indicates that active exploitation is currently very unlikely. The vulnerability is not listed in the CISA KEV catalog, so no known exploits are publicly documented at this time. The likely attack vector is an unauthenticated attacker crafting a malicious link that an unsuspecting site administrator clicks, triggering the forged POST or GET request to the plugin's settings page. Because the request bypasses nonce checks, the settings can be altered without detection."}}}}, "created": "2025-11-18T14:15:52.540315+00:00", "updated": "2026-04-21T18:30:27.577524+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}