{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-7835", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-18T19:25:16.829Z", "datePublished": "2025-07-24T09:22:21.998Z", "dateUpdated": "2026-04-08T17:30:49.913Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:30:49.913Z"}, "affected": [{"vendor": "gerkin", "product": "iThoughts Advanced Code Editor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.10", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The iThoughts Advanced Code Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.10. This is due to missing or incorrect nonce validation on the 'ithoughts_ace_update_options' AJAX action. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "iThoughts Advanced Code Editor <= 1.2.10 - Cross-Site Request Forgery to Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e99ed03f-ed0a-4f17-b9fe-db0a0e573ed2?source=cve"}, {"url": "https://wordpress.org/plugins/ithoughts-advanced-code-editor/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "timeline": [{"time": "2025-07-23T20:45:31.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-24T13:10:01.925596Z", "id": "CVE-2025-7835", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-24T13:10:14.653Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-7835", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-24T13:10:01.925596Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-24T13:10:12.351Z"}}], "cna": {"title": "iThoughts Advanced Code Editor <= 1.2.10 - Cross-Site Request Forgery to Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "gerkin", "product": "iThoughts Advanced Code Editor", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.2.10"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-23T20:45:31.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e99ed03f-ed0a-4f17-b9fe-db0a0e573ed2?source=cve"}, {"url": "https://wordpress.org/plugins/ithoughts-advanced-code-editor/"}], "descriptions": [{"lang": "en", "value": "The iThoughts Advanced Code Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.10. This is due to missing or incorrect nonce validation on the 'ithoughts_ace_update_options' AJAX action. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-07-24T09:22:21.998Z"}}}, "cveMetadata": {"cveId": "CVE-2025-7835", "state": "PUBLISHED", "dateUpdated": "2025-07-24T13:10:14.653Z", "dateReserved": "2025-07-18T19:25:16.829Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-24T09:22:21.998Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The iThoughts Advanced Code Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.10. This is due to missing or incorrect nonce validation on the 'ithoughts_ace_update_options' AJAX action. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El complemento iThoughts Advanced Code Editor para WordPress es vulnerable a Cross-Site Request Forgery en todas las versiones hasta la 1.2.10 incluida. Esto se debe a la falta o la validaci\u00f3n incorrecta de nonce en la acci\u00f3n AJAX 'ithoughts_ace_update_options'. Esto permite que atacantes no autenticados actualicen la configuraci\u00f3n del complemento mediante una solicitud falsificada, ya que pueden enga\u00f1ar al administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2025-7835", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-07-24T10:15:28.927", "references": [{"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/ithoughts-advanced-code-editor/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e99ed03f-ed0a-4f17-b9fe-db0a0e573ed2?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T22:07:38.049509+00:00", "value": {"mitigation_remediation": ["Upgrade iThoughts Advanced Code Editor to version 1.2.11 or later, which includes proper nonce validation for the update action", "If an upgrade is not immediately possible, restrict access to the ithoughts_ace_update_options AJAX action by disabling it for non\u2011authenticated requests or removing the endpoint entirely", "Implement additional WordPress security measures such as a robust nonce system or a trusted\u2011origin policy to reduce the risk of CSRF attacks"], "summary": {"action": "Update Plugin", "impact": "Cross\u2011Site Request Forgery allowing unauthenticated attackers to alter plugin settings"}, "threat_synthesis": {"affected_systems": "All installations of iThoughts Advanced Code Editor version 1.2.10 or earlier, sourced from the Gerkin vendor. The affected component is the settings update endpoint handled by the plugin within a WordPress site.", "description_and_impact": "The vulnerability stems from missing or incorrect nonce validation on the ithoughts_ace_update_options AJAX action in the iThoughts Advanced Code Editor WordPress plugin. Because of this omission, an attacker does not need credentials to change plugin configuration. By tricking an administrator into clicking a crafted link or otherwise making a forged request, the attacker can modify settings that may affect code editing behavior, security features, or plugin functionality.", "risk_and_exploitability": "The CVSS score of 4.3 places the vulnerability in the moderate severity range, and the EPSS score of less than 1% indicates a very low probability of exploitation in the broader ecosystem. The vulnerability is not included in the CISA Known Exploited Vulnerabilities catalog. This CSRF flaw requires social engineering or a pre\u2011existing malicious link to persuade an administrator to execute a forged request, making exploitation user\u2011dependent and less likely to spread automatically."}}}}, "created": "2025-07-24T21:26:42.069774+00:00", "updated": "2026-04-20T22:15:06.191572+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}