{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13438", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-19T19:03:35.513Z", "datePublished": "2026-02-19T04:36:14.713Z", "dateUpdated": "2026-04-08T16:59:35.601Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:59:35.601Z"}, "affected": [{"vendor": "dienodigital", "product": "Page Title, Description & Open Graph Updater", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.02", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Page Title, Description & Open Graph Updater plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.02. This is due to missing nonce validation on multiple AJAX actions including dieno_update_page_title. This makes it possible for unauthenticated attackers to update page titles and metadata via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Page Title, Description & Open Graph Updater <= 1.02 - Cross-Site Request Forgery to Arbitrary Page Title Modification", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6e02e94f-e0f4-4a6a-9670-702b2d0a78c1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/page-title-description-open-graph-updater/trunk/Classes/dieno_quick_edits_functions.php#L73"}, {"url": "https://plugins.trac.wordpress.org/browser/page-title-description-open-graph-updater/tags/1.02/Classes/dieno_quick_edits_functions.php#L73"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "dayea song"}], "timeline": [{"time": "2026-02-18T15:38:26.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T17:03:36.268170Z", "id": "CVE-2025-13438", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T17:36:21.533Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13438", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T17:03:36.268170Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T17:03:37.769Z"}}], "cna": {"title": "Page Title, Description & Open Graph Updater <= 1.02 - Cross-Site Request Forgery to Arbitrary Page Title Modification", "credits": [{"lang": "en", "type": "finder", "value": "dayea song"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "dienodigital", "product": "Page Title, Description & Open Graph Updater", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.02"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-18T15:38:26.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6e02e94f-e0f4-4a6a-9670-702b2d0a78c1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/page-title-description-open-graph-updater/trunk/Classes/dieno_quick_edits_functions.php#L73"}, {"url": "https://plugins.trac.wordpress.org/browser/page-title-description-open-graph-updater/tags/1.02/Classes/dieno_quick_edits_functions.php#L73"}], "descriptions": [{"lang": "en", "value": "The Page Title, Description & Open Graph Updater plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.02. This is due to missing nonce validation on multiple AJAX actions including dieno_update_page_title. This makes it possible for unauthenticated attackers to update page titles and metadata via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-02-19T04:36:14.713Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13438", "state": "PUBLISHED", "dateUpdated": "2026-02-19T17:36:21.533Z", "dateReserved": "2025-11-19T19:03:35.513Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-19T04:36:14.713Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Page Title, Description & Open Graph Updater plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.02. This is due to missing nonce validation on multiple AJAX actions including dieno_update_page_title. This makes it possible for unauthenticated attackers to update page titles and metadata via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El plugin Page Title, Description &amp; Open Graph Updater para WordPress es vulnerable a la falsificaci\u00f3n de petici\u00f3n en sitios cruzados en todas las versiones hasta la 1.02, inclusive. Esto se debe a la falta de validaci\u00f3n de nonce en m\u00faltiples acciones AJAX, incluyendo dieno_update_page_title. Esto hace posible que atacantes no autenticados actualicen los t\u00edtulos de p\u00e1gina y los metadatos a trav\u00e9s de una petici\u00f3n falsificada, siempre que puedan enga\u00f1ar a un administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2025-13438", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-19T07:17:30.697", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/page-title-description-open-graph-updater/tags/1.02/Classes/dieno_quick_edits_functions.php#L73"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/page-title-description-open-graph-updater/trunk/Classes/dieno_quick_edits_functions.php#L73"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6e02e94f-e0f4-4a6a-9670-702b2d0a78c1?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.02]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Page Title, Description & Open Graph Updater", "source": "cna", "vendor": "dienodigital"}, "product": "page_title,_description_&_open_graph_updater", "vendor": "dienodigital"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-21T15:54:41.996547+00:00", "value": {"mitigation_remediation": ["Update the Page Title, Description & Open Graph Updater plugin to a release newer than 1.02 that implements nonce validation on all AJAX endpoints.", "Configure the site so that only authenticated administrators can reach the plugin\u2019s AJAX routes, and require multi\u2011factor authentication for administrative accounts.", "Deploy a web\u2011application firewall or an additional CSRF protection plugin to detect and block unauthenticated attempts to modify page titles via the identified endpoints."], "summary": {"action": "Patch", "impact": "Integrity Compromise"}, "threat_synthesis": {"affected_systems": "Any WordPress installation running the Page Title, Description & Open Graph Updater plugin from the vendor dienodigital, in any version up to and including 1.02. No specific patch level beyond 1.02 is provided by the vendor in the advisory. The recommendation is to treat all revisions at or below 1.02 as vulnerable.", "description_and_impact": "The vulnerability lies in a missing nonce check on multiple AJAX actions within the Page Title, Description & Open Graph Updater plugin, enabling an unauthenticated attacker to alter page titles and metadata. By forging a request, an attacker can trick a site administrator into performing an action that changes content on the site. Because the modified data can affect SEO, social media previews, and user perception, the primary outcome is a compromise of the integrity of the site\u2019s content. The weakness is a classic Cross\u2011Site Request Forgery flaw (CWE\u2011352).", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate impact, while the EPSS of less than 1% suggests a low probability of wide exploitation. The vulnerability is not currently listed in CISA\u2019s KEV catalog. Exploitation requires an unauthenticated user to coerce a logged\u2011in administrator to trigger a forged AJAX request; therefore, the attack vector relies on social engineering or malicious links. Successful exploitation permits arbitrary alteration of on\u2011page titles and metadata, but requires no further privileges once the administrator submits the request."}}}}, "created": "2026-02-19T10:07:10.456846+00:00", "updated": "2026-04-21T16:00:13.276832+00:00", "vendors": ["dienodigital", "dienodigital$PRODUCT$page_title,_description_&_open_graph_updater", "wordpress", "wordpress$PRODUCT$wordpress"]}