{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9616", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-28T17:42:17.929Z", "datePublished": "2025-09-04T09:22:24.265Z", "dateUpdated": "2026-04-08T17:04:20.500Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:20.500Z"}, "affected": [{"vendor": "alobaidi", "product": "PopAd", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The PopAd plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to missing or incorrect nonce validation on the PopAd_reset_cookie_time function. This makes it possible for unauthenticated attackers to reset cookie time settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "PopAd <= 1.0.4 - Cross-Site Request Forgery to Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/842f3cb4-857e-4e9c-b84e-9a47ec65db0d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/popad/trunk/admin/admin.php#L548"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "timeline": [{"time": "2025-09-03T21:05:44.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-04T14:26:49.294797Z", "id": "CVE-2025-9616", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-04T14:26:54.162Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9616", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-04T14:26:49.294797Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-04T14:26:51.650Z"}}], "cna": {"title": "PopAd <= 1.0.4 - Cross-Site Request Forgery to Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "alobaidi", "product": "PopAd", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-03T21:05:44.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/842f3cb4-857e-4e9c-b84e-9a47ec65db0d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/popad/trunk/admin/admin.php#L548"}], "descriptions": [{"lang": "en", "value": "The PopAd plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to missing or incorrect nonce validation on the PopAd_reset_cookie_time function. This makes it possible for unauthenticated attackers to reset cookie time settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:20.500Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9616", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:04:20.500Z", "dateReserved": "2025-08-28T17:42:17.929Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-04T09:22:24.265Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The PopAd plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to missing or incorrect nonce validation on the PopAd_reset_cookie_time function. This makes it possible for unauthenticated attackers to reset cookie time settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-9616", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-04T10:42:35.773", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/popad/trunk/admin/admin.php#L548"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/842f3cb4-857e-4e9c-b84e-9a47ec65db0d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T03:16:50.713510+00:00", "value": {"mitigation_remediation": ["Upgrade the PopAd plugin to a version newer than 1.0.4.", "If an upgrade is unavailable, edit the plugin file admin/admin.php to add a nonce check to the PopAd_reset_cookie_time function or comment out the function entirely.", "Configure a web application firewall rule that rejects requests to the reset cookie time endpoint from unauthenticated users or requires proper nonce validation."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Request Forgery \u2013 Unauthorized Settings Update"}, "threat_synthesis": {"affected_systems": "The affected component is the PopAd plugin by alobaidi, deployed on WordPress sites. All installed versions of PopAd version 1.0.4 or earlier are vulnerable. No other WordPress plugins or core software is listed as affected.", "description_and_impact": "The PopAd plugin for WordPress contains a Cross\u2011Site Request Forgery flaw in versions up to 1.0.4. The flaw arises from missing or incorrect nonce validation on the function that resets cookie time settings. An attacker who can trick a logged\u2011in site administrator into submitting a crafted request may cause the administrator to reset the cookie time settings without authorization. This changes cookie expiration behavior and can enable easier persistence or session reuse, undermining the intended security posture of the site.", "risk_and_exploitability": "The CVSS score of 5.3 categorizes the vulnerability as moderate, and it carries an EPSS score of less than 1%, indicating a very low probability of exploitation at the time of analysis. Because the flaw relies on CSRF via a forged request that merely requires tripping an administrator into clicking a link, the vulnerability is not considered a high\u2011risk attack vector. Nonetheless, it is not listed in the CISA KEV catalog, which means no publicly available exploit is known but the nature of CSRF suggests that attackers could still pose a threat to sites with insufficient user training or internal controls. Mitigation should focus on ensuring proper nonce validation or disabling the vulnerable functionality before an official patch is applied."}}}}, "created": "2025-09-04T13:12:04.179209+00:00", "updated": "2026-04-21T03:30:26.328275+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}