{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9621", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-28T18:58:53.402Z", "datePublished": "2025-10-11T09:28:36.133Z", "dateUpdated": "2026-04-08T16:32:34.886Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:32:34.886Z"}, "affected": [{"vendor": "widgetpack", "product": "WidgetPack Comment System", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.6.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WidgetPack Comment System plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6.1. This is due to missing or incorrect nonce validation on the wpcmt_sync action in the wpcmt_request_handler function. This makes it possible for unauthenticated attackers to trigger comment synchronization events via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "WidgetPack Comment System <= 1.6.1 - Cross-Site Request Forgery", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/01996a4c-0ad8-4da8-bfa7-3442c5a67679?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/widgetpack-comment-system/tags/1.6.1/wpcmt.php#L295"}, {"url": "https://plugins.trac.wordpress.org/browser/widgetpack-comment-system/tags/1.6.1/wpcmt.php#L419"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Sandeep"}], "timeline": [{"time": "2025-10-10T20:51:31.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-14T20:17:07.518610Z", "id": "CVE-2025-9621", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-14T20:18:12.444Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9621", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-14T20:17:07.518610Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-14T20:17:41.454Z"}}], "cna": {"title": "WidgetPack Comment System <= 1.6.1 - Cross-Site Request Forgery", "credits": [{"lang": "en", "type": "finder", "value": "Sandeep"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "widgetpack", "product": "WidgetPack Comment System", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.6.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-10T20:51:31.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/01996a4c-0ad8-4da8-bfa7-3442c5a67679?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/widgetpack-comment-system/tags/1.6.1/wpcmt.php#L295"}, {"url": "https://plugins.trac.wordpress.org/browser/widgetpack-comment-system/tags/1.6.1/wpcmt.php#L419"}], "descriptions": [{"lang": "en", "value": "The WidgetPack Comment System plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6.1. This is due to missing or incorrect nonce validation on the wpcmt_sync action in the wpcmt_request_handler function. This makes it possible for unauthenticated attackers to trigger comment synchronization events via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:32:34.886Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9621", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:32:34.886Z", "dateReserved": "2025-08-28T18:58:53.402Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-11T09:28:36.133Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WidgetPack Comment System plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6.1. This is due to missing or incorrect nonce validation on the wpcmt_sync action in the wpcmt_request_handler function. This makes it possible for unauthenticated attackers to trigger comment synchronization events via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-9621", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-11T10:15:44.637", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/widgetpack-comment-system/tags/1.6.1/wpcmt.php#L295"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/widgetpack-comment-system/tags/1.6.1/wpcmt.php#L419"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/01996a4c-0ad8-4da8-bfa7-3442c5a67679?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T14:10:02.535885+00:00", "value": {"mitigation_remediation": ["Update the WidgetPack Comment System plugin to version\u202f1.6.2 or later when the update is released.", "If an immediate upgrade is not possible, disable the wpcmt_sync action or remove the plugin altogether to eliminate the CSRF vector.", "Implement or verify robust CSRF protection for all AJAX actions, for example by ensuring nonces are validated in every request, or by using a security plugin that blocks unauthorized requests."], "summary": {"action": "Apply Patch", "impact": "Unauthenticated CSRF leading to unauthorized comment synchronization"}, "threat_synthesis": {"affected_systems": "All installations of the WidgetPack Comment System plugin up to and including version\u202f1.6.1 are vulnerable. The flaw exists regardless of the underlying WordPress version; any site that has not upgraded beyond 1.6.1 is at risk.", "description_and_impact": "The WidgetPack Comment System plugin suffers from a missing nonce validation on the wpcmt_sync action within the wpcmt_request_handler function. This creates a CSRF flaw that allows an unauthenticated attacker to trigger comment synchronization on a WordPress site simply by causing a site administrator or other privileged user to visit a crafted link. The resulting action can add, modify, or delete comments without the user\u2019s knowledge, potentially disrupting site content or facilitating spam.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity. An EPSS score of less than 1% indicates that exploitation is currently deemed unlikely, and the vulnerability is not listed in CISA's KEV catalog. Exploitation requires the attacker to persuade a privileged user to click a malicious link, so the attack surface is limited to environments where such social engineering is feasible. The flaw does not provide remote code execution, though it does grant unauthorized manipulation of the comment sync feature."}}}}, "created": "2025-10-20T16:15:02.496738+00:00", "updated": "2026-04-22T14:15:20.420223+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}