{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-5932", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-09T15:05:07.647Z", "datePublished": "2025-06-26T02:22:20.947Z", "dateUpdated": "2026-04-08T16:46:13.806Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:46:13.806Z"}, "affected": [{"vendor": "coolrunner", "product": "Homerunner", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.30", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Homerunner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.30. This is due to missing or incorrect nonce validation on the main_settings() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Homerunner <= 1.0.30 - Cross-Site Request Forgery to Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/36eaff34-50cd-4399-8314-19ae4f50d017?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/homerunner-smartcheckout/tags/1.0.29/classes/class-settings.php#L319"}, {"url": "https://plugins.trac.wordpress.org/browser/homerunner-smartcheckout/tags/1.0.31/classes/class-settings.php#L483"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "timeline": [{"time": "2025-06-25T14:07:19.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-26T13:24:24.950534Z", "id": "CVE-2025-5932", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-26T13:24:37.624Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5932", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-26T13:24:24.950534Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-26T13:24:32.080Z"}}], "cna": {"title": "Homerunner <= 1.0.30 - Cross-Site Request Forgery to Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "coolrunner", "product": "Homerunner", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.30"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-06-25T14:07:19.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/36eaff34-50cd-4399-8314-19ae4f50d017?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/homerunner-smartcheckout/tags/1.0.29/classes/class-settings.php#L319"}, {"url": "https://plugins.trac.wordpress.org/browser/homerunner-smartcheckout/tags/1.0.31/classes/class-settings.php#L483"}], "descriptions": [{"lang": "en", "value": "The Homerunner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.30. This is due to missing or incorrect nonce validation on the main_settings() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:46:13.806Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5932", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:46:13.806Z", "dateReserved": "2025-06-09T15:05:07.647Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-06-26T02:22:20.947Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:coolrunner:homerunner:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "C307CDA2-7F38-4E71-A149-7B578715E860", "versionEndIncluding": "1.0.29", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Homerunner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.30. This is due to missing or incorrect nonce validation on the main_settings() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El complemento Homerunner para WordPress es vulnerable a cross-site request forgery en todas las versiones hasta la 1.0.29 incluida. Esto se debe a la falta o la validaci\u00f3n incorrecta de nonce en la funci\u00f3n main_settings(). Esto permite que atacantes no autenticados actualicen la configuraci\u00f3n del complemento mediante una solicitud falsificada, ya que pueden enga\u00f1ar al administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2025-5932", "lastModified": "2026-04-08T18:24:58.637", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-06-26T03:15:25.110", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/homerunner-smartcheckout/tags/1.0.29/classes/class-settings.php#L319"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/homerunner-smartcheckout/tags/1.0.31/classes/class-settings.php#L483"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/36eaff34-50cd-4399-8314-19ae4f50d017?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T20:02:58.512350+00:00", "value": {"mitigation_remediation": ["Upgrade the Homerunner plugin to version 1.0.31 or later.", "If the plugin is not essential, uninstall or disable it to eliminate the vulnerability.", "Configure a web application firewall to detect and block CSRF requests targeting the plugin\u2019s settings endpoint."], "summary": {"action": "Patch", "impact": "Unauthorized configuration change via CSRF"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in every release of the Homerunner plugin up to and including version 1.0.30. Any WordPress site that has installed these versions, provided by the vendor coolrunner, is affected. The attack surface is limited to the plugin\u2019s settings page, but the impact can be felt across the entire WordPress installation if the changed settings influence core functionality or security.", "description_and_impact": "The Homerunner plugin for WordPress contains a cross\u2011site request forgery flaw caused by missing or incorrect nonce validation in the main_settings() function. Because the plugin accepts configuration changes without verifying a valid authentication token, an unauthenticated attacker can forge a request that causes an administrator to unintentionally submit a settings update. The result is unauthorized modification of plugin configuration, which can alter site behavior or expose sensitive options. This weakness aligns with CWE-352.", "risk_and_exploitability": "The CVSS base score of 4.3 indicates moderate severity, and the EPSS score of less than 1\u202f% suggests a low likelihood of exploitation at the time of this assessment. The vulnerability is not listed in the CISA KEV catalog, further implying no widespread, weaponized use. Nevertheless, because the flaw requires a simple forged request and only an administrator\u2019s interaction to succeed, a site that has the plugin active represents a moderate risk that should be addressed by applying the available fix promptly."}}}}, "created": "2025-07-06T22:16:31.717317+00:00", "updated": "2026-04-21T20:15:44.573457+00:00", "vendors": ["coolrunner", "coolrunner$PRODUCT$homerunner_plugin", "wordpress", "wordpress$PRODUCT$wordpress"]}