{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-6064", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-13T13:31:42.647Z", "datePublished": "2025-06-14T08:23:22.208Z", "dateUpdated": "2026-04-08T16:36:56.017Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:36:56.017Z"}, "affected": [{"vendor": "djerba", "product": "WP URL Shortener", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP URL Shortener plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on the 'url_shortener_settings' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "WP URL Shortener <= 1.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/154b3a1a-7246-42de-a555-2c655778d59e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-url-shortener/trunk/index.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "timeline": [{"time": "2025-06-13T19:45:34.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-16T16:46:06.406063Z", "id": "CVE-2025-6064", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-17T18:39:51.077Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP URL Shortener plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on the 'url_shortener_settings' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El complemento WP URL Shortener para WordPress es vulnerable a Cross-Site Request Forgery en todas las versiones hasta la 1.2 incluida. Esto se debe a la falta o a una validaci\u00f3n de nonce incorrecta en la p\u00e1gina 'url_shortener_settings'. Esto permite que atacantes no autenticados actualicen la configuraci\u00f3n e inyecten scripts web maliciosos mediante una solicitud falsificada, ya que pueden enga\u00f1ar al administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2025-6064", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-06-14T09:15:24.853", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-url-shortener/trunk/index.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/154b3a1a-7246-42de-a555-2c655778d59e?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T14:50:03.962054+00:00", "value": {"mitigation_remediation": ["Install the latest version of WP URL Shortener (1.3 or higher) to fix the missing nonce validation.", "If an upgrade cannot be applied immediately, disable or uninstall the plugin to eliminate the attack surface until the fix is available.", "Review and ensure that all administrative endpoints enforce a valid nonce before processing input, in line with best practices for CSRF protection."], "summary": {"action": "Update plugin", "impact": "Stored XSS via CSRF"}, "threat_synthesis": {"affected_systems": "This flaw affects the djerba: WP URL Shortener plugin for WordPress in all releases up to and including version 1.2. No other versions are listed as affected by the CNA.", "description_and_impact": "The WP URL Shortener plugin allows attackers to perform cross\u2011site request forgery on the settings page because a nonce check is missing or implemented incorrectly. By sending a forged request to this page, an unauthenticated attacker can modify plugin settings and inject arbitrary web scripts that are then stored in the database. The injected scripts execute in the context of the site, giving an attacker the ability to hijack administrator sessions, steal credentials, or distribute malware to visitors. This vulnerability directly results in a stored cross\u2011site scripting flaw governed by CWE\u2011352.", "risk_and_exploitability": "The CVSS score of 6.1 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, so no known widespread exploitation has been reported. The attack requires an attacker to trick a site administrator into clicking a crafted link or submitting a form, creating a CSRF exploit path that is easy to engineer but requires human interaction. Attackers can therefore gain escalated privileges on the affected WordPress instance, though they must rely on social engineering to complete the attack."}}}}, "created": "2026-04-22T15:00:05.611912+00:00", "updated": "2026-04-22T15:00:05.611923+00:00", "vendors": []}