{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13684", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-25T19:50:36.998Z", "datePublished": "2025-12-05T07:26:17.419Z", "dateUpdated": "2026-04-08T17:03:13.105Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:03:13.105Z"}, "affected": [{"vendor": "alexkar", "product": "ARK Related Posts", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.19", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The ARK Related Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 2.19. This is due to missing or incorrect nonce validation on the ark_rp_options_page function. This makes it possible for unauthenticated attackers to modify the plugin's configuration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "ARK Related Posts <= 2.19 - Cross-Site Request Forgery to Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7eb53a80-89e5-4d8c-a1ba-c272196a3340?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ark-relatedpost/trunk/ark-relatedpost.php#L109"}, {"url": "https://plugins.trac.wordpress.org/browser/ark-relatedpost/tags/2.19/ark-relatedpost.php#L109"}, {"url": "https://plugins.trac.wordpress.org/changeset/3416647/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "timeline": [{"time": "2025-12-04T19:20:29.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-05T12:58:48.906090Z", "id": "CVE-2025-13684", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-05T12:58:59.755Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13684", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-05T12:58:48.906090Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-05T12:58:55.208Z"}}], "cna": {"title": "ARK Related Posts <= 2.19 - Cross-Site Request Forgery to Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "alexkar", "product": "ARK Related Posts", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.19"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-04T19:20:29.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7eb53a80-89e5-4d8c-a1ba-c272196a3340?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ark-relatedpost/trunk/ark-relatedpost.php#L109"}, {"url": "https://plugins.trac.wordpress.org/browser/ark-relatedpost/tags/2.19/ark-relatedpost.php#L109"}], "descriptions": [{"lang": "en", "value": "The ARK Related Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 2.19. This is due to missing or incorrect nonce validation on the ark_rp_options_page function. This makes it possible for unauthenticated attackers to modify the plugin's configuration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-12-05T07:26:17.419Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13684", "state": "PUBLISHED", "dateUpdated": "2025-12-05T12:58:59.755Z", "dateReserved": "2025-11-25T19:50:36.998Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-05T07:26:17.419Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The ARK Related Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 2.19. This is due to missing or incorrect nonce validation on the ark_rp_options_page function. This makes it possible for unauthenticated attackers to modify the plugin's configuration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El plugin ARK Related Posts para WordPress es vulnerable a la falsificaci\u00f3n de petici\u00f3n en sitios cruzados en la versi\u00f3n 2.19. Esto se debe a la validaci\u00f3n de nonce faltante o incorrecta en la funci\u00f3n ark_rp_options_page. Esto hace posible que atacantes no autenticados modifiquen la configuraci\u00f3n del plugin a trav\u00e9s de una petici\u00f3n falsificada, siempre que puedan enga\u00f1ar a un administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2025-13684", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-05T08:15:47.883", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ark-relatedpost/tags/2.19/ark-relatedpost.php#L109"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ark-relatedpost/trunk/ark-relatedpost.php#L109"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3416647/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7eb53a80-89e5-4d8c-a1ba-c272196a3340?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T17:43:59.052162+00:00", "value": {"mitigation_remediation": ["Update the ARK Related Posts plugin to a version newer than 2.19 that restores nonce validation in the settings page.", "Restrict access to the plugin's settings area to administrators only, ensuring no other roles can reach the vulnerable endpoint.", "Configure a web application firewall or equivalent rule to flag requests to ark_rp_options_page that lack a valid nonce, blocking or alerting on such traffic."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Request Forgery allowing unauthorized modification of plugin configuration"}, "threat_synthesis": {"affected_systems": "Vendors: alexkar\u2014ARK Related Posts. Affected plugin versions are 2.19 and all earlier releases. No other versions are reported to be impacted.", "description_and_impact": "The ARK Related Posts WordPress plugin contains a CSRF weakness due to missing or incorrect nonce validation in the ark_rp_options_page function. As a result, an unauthenticated attacker can trick a site administrator into sending a forged request that updates plugin settings. While the vulnerability does not expose code execution, it permits an attacker to alter configuration values that could affect the site\u2019s content display or functionality, compromising the integrity of the site\u2019s appearance and user experience.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation at the current time. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to entice a legitimate administrator to execute a link or form that submits a POST request to the settings page, exploiting the missing nonce to bypass authentication checks. Consequently, the primary risk is the unauthorized configuration of the plugin by a non\u2011privileged actor."}}}}, "created": "2025-12-05T20:56:29.336304+00:00", "updated": "2026-04-21T17:45:16.492248+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}