{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9374", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-22T21:23:25.172Z", "datePublished": "2025-08-29T04:25:28.998Z", "dateUpdated": "2026-04-08T16:41:28.035Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:41:28.035Z"}, "affected": [{"vendor": "briancolinger", "product": "Ultimate Tag Warrior Importer", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Ultimate Tag Warrior Importer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to import tags granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Ultimate Tag Warrior Importer <= 0.2 - Cross-Site Request Forgery", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/218d0d28-16db-4d9c-b643-6cc2edfc74e2?source=cve"}, {"url": "https://wordpress.org/plugins/utw-importer/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "timeline": [{"time": "2025-08-28T15:44:35.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-29T11:59:59.232003Z", "id": "CVE-2025-9374", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-29T12:00:10.774Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9374", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-29T11:59:59.232003Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-29T12:00:04.139Z"}}], "cna": {"title": "Ultimate Tag Warrior Importer <= 0.2 - Cross-Site Request Forgery", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "briancolinger", "product": "Ultimate Tag Warrior Importer", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-28T15:44:35.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/218d0d28-16db-4d9c-b643-6cc2edfc74e2?source=cve"}, {"url": "https://wordpress.org/plugins/utw-importer/"}], "descriptions": [{"lang": "en", "value": "The Ultimate Tag Warrior Importer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to import tags granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:41:28.035Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9374", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:41:28.035Z", "dateReserved": "2025-08-22T21:23:25.172Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-29T04:25:28.998Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Ultimate Tag Warrior Importer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to import tags granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-9374", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-08-29T05:15:32.063", "references": [{"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/utw-importer/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/218d0d28-16db-4d9c-b643-6cc2edfc74e2?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T16:56:59.550181+00:00", "value": {"mitigation_remediation": ["Upgrade the Ultimate Tag Warrior Importer plugin to a version later than 0.2 that includes proper nonce validation.", "If a patched version is not available, disable or uninstall the plugin entirely and remove unused tag import functionality.", "Restrict administrator access to a minimal set of trusted users and enforce multi\u2011factor authentication for all privileged accounts.", "Apply additional security controls such as a web application firewall to detect and block suspicious POST requests targeting the tag import endpoint."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Request Forgery"}, "threat_synthesis": {"affected_systems": "All installations of the Ultimate Tag Warrior Importer plugin version 0.2 or earlier on WordPress sites are affected.", "description_and_impact": "The vulnerability allows an attacker to perform a cross\u2011site request forgery that results in the unauthorized import of tags. Because the plugin fails to validate the required nonces, an attacker only needs to entice a site administrator to click a crafted link. This can lead to the injection of unwanted tags and the alteration of taxonomy structure, potentially disrupting site navigation and content organization, although it does not grant direct code execution or database compromise.", "risk_and_exploitability": "The CVSS score of 4.3 classifies the issue as low severity, and the EPSS score of <1% indicates a very low likelihood of active exploitation. The flaw is not listed in the CISA KEV catalog. The exploitation requires persuading an authenticated administrator to perform an action, such as clicking a malicious link, which is a simple and typical CSRF attack vector."}}}}, "created": "2025-09-01T09:02:05.829341+00:00", "updated": "2026-04-22T17:00:12.331847+00:00", "vendors": ["briancolinger", "briancolinger$PRODUCT$ultimate_tag_warrior_importer", "wordpress", "wordpress$PRODUCT$wordpress"]}