{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9618", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-28T18:28:44.540Z", "datePublished": "2025-08-30T01:45:53.167Z", "dateUpdated": "2026-04-08T17:31:22.308Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:31:22.308Z"}, "affected": [{"vendor": "wpdreams", "product": "Related Posts Lite", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.12", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Related Posts Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Related Posts Lite <= 1.12 - Cross-Site Request Forgery", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ec3667ac-1d1f-4faf-923c-7e55c03db3da?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/related-posts-lite/tags/1.12/backend/settings.php#L114"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Sandeep"}], "timeline": [{"time": "2025-08-29T08:25:57.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-08-29T13:40:33.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-02T19:25:51.756872Z", "id": "CVE-2025-9618", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-02T19:26:00.498Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9618", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-02T19:25:51.756872Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-02T19:25:56.412Z"}}], "cna": {"title": "Related Posts Lite <= 1.12 - Cross-Site Request Forgery", "credits": [{"lang": "en", "type": "finder", "value": "Sandeep"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "wpdreams", "product": "Related Posts Lite", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.12"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-29T08:25:57.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-08-29T13:40:33.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ec3667ac-1d1f-4faf-923c-7e55c03db3da?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/related-posts-lite/tags/1.12/backend/settings.php#L114"}], "descriptions": [{"lang": "en", "value": "The Related Posts Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-08-30T01:45:53.167Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9618", "state": "PUBLISHED", "dateUpdated": "2025-09-02T19:26:00.498Z", "dateReserved": "2025-08-28T18:28:44.540Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-30T01:45:53.167Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Related Posts Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-9618", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-08-30T02:15:32.990", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/related-posts-lite/tags/1.12/backend/settings.php#L114"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ec3667ac-1d1f-4faf-923c-7e55c03db3da?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T19:12:44.432297+00:00", "value": {"mitigation_remediation": ["Upgrade the Related Posts Lite plugin to version\u202f1.13 or newer, where nonce validation has been added.", "Ensure that all plugin\u2011related forms include a valid nonce; if the plugin remains vulnerable, consider adding a server\u2011side check for the nonce before applying settings changes.", "Provide training to site administrators to recognize phishing attempts and bypass the common setup for CSRF\u2011attacks, and restrict access to the plugin\u2019s settings page to users who have been vetted."], "summary": {"action": "Update Plugin", "impact": "Unauthorized configuration changes via CSRF"}, "threat_synthesis": {"affected_systems": "Any WordPress installation that uses the wpdreams Related Posts Lite plugin version\u202f1.12 or earlier is affected. The vulnerability resides in the admin dashboard settings page and requires a legitimate administrator account to be tricked into submitting a forged request.", "description_and_impact": "The Related Posts Lite WordPress plugin is vulnerable to a cross\u2011site request forgery flaw because its settings update process lacks proper nonce validation. An attacker who can entice a logged\u2011in administrator to click a forged link can cause the site to store altered plugin configuration, affecting how related posts are displayed or other exposed options. This issue does not grant code execution or data exfiltration but can degrade user experience and erode trust in the site.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, while an EPSS score below 1\u202f% suggests a low probability of exploitation. The vulnerability is not listed in CISA KEV. Attackers would need social\u2011engineering techniques to persuade an administrator to click a malicious link, so the risk is largely limited to sites employing the vulnerable plugin and lacking user education or additional CSRF controls."}}}}, "created": "2025-08-31T08:41:32.806601+00:00", "updated": "2026-04-21T19:15:26.040698+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpdreams", "wpdreams$PRODUCT$related_posts_lite"]}