{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9631", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-28T19:54:00.766Z", "datePublished": "2025-09-11T07:24:49.603Z", "dateUpdated": "2026-04-08T16:38:13.320Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:38:13.320Z"}, "affected": [{"vendor": "gyaku", "product": "AutoCatSet", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.1.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The AutoCatSet plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.4. This is due to missing or incorrect nonce validation on the autocatset_ajax function. This makes it possible for unauthenticated attackers to trigger automatic recategorization of posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "AutoCatSet <= 2.1.4 - Cross-Site Request Forgery", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1b3bd31f-0f5a-4b4a-811b-5482db866bd5?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/autocatset/trunk/lib/ajax.php#L5"}, {"url": "https://plugins.trac.wordpress.org/browser/autocatset/trunk/autocatset.php#L93"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "timeline": [{"time": "2025-09-10T18:53:17.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-11T14:32:41.654653Z", "id": "CVE-2025-9631", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-11T14:41:39.556Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9631", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-11T14:32:41.654653Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-11T14:26:46.311Z"}}], "cna": {"title": "AutoCatSet <= 2.1.4 - Cross-Site Request Forgery", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "gyaku", "product": "AutoCatSet", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.1.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-10T18:53:17.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1b3bd31f-0f5a-4b4a-811b-5482db866bd5?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/autocatset/trunk/lib/ajax.php#L5"}, {"url": "https://plugins.trac.wordpress.org/browser/autocatset/trunk/autocatset.php#L93"}], "descriptions": [{"lang": "en", "value": "The AutoCatSet plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.4. This is due to missing or incorrect nonce validation on the autocatset_ajax function. This makes it possible for unauthenticated attackers to trigger automatic recategorization of posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-09-11T07:24:49.603Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9631", "state": "PUBLISHED", "dateUpdated": "2025-09-11T14:41:39.556Z", "dateReserved": "2025-08-28T19:54:00.766Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-11T07:24:49.603Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The AutoCatSet plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.4. This is due to missing or incorrect nonce validation on the autocatset_ajax function. This makes it possible for unauthenticated attackers to trigger automatic recategorization of posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-9631", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-11T08:15:37.987", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/autocatset/trunk/autocatset.php#L93"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/autocatset/trunk/lib/ajax.php#L5"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1b3bd31f-0f5a-4b4a-811b-5482db866bd5?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T22:15:11.906598+00:00", "value": {"mitigation_remediation": ["Upgrade AutoCatSet to the latest version that implements proper nonce validation.", "If upgrading is not immediately possible, disable or remove the AutoCatSet plugin to eliminate the vulnerable endpoint.", "Ensure that all AJAX endpoints in the WordPress installation validate a nonce before performing any state\u2011changing operation; apply the same principle to any custom plugins."], "summary": {"action": "Patch Now", "impact": "Cross\u2011Site Request Forgery"}, "threat_synthesis": {"affected_systems": "All installations of gyaku AutoCatSet for WordPress with version 2.1.4 or earlier are affected. No specific patch versions are listed, but remediation requires updating beyond 2.1.4.", "description_and_impact": "The AutoCatSet WordPress plugin suffers from a Cross\u2011Site Request Forgery flaw caused by missing or incorrect nonce validation in the autocatset_ajax function. A malicious actor can craft a forged request that an authenticated site administrator unknowingly submits, triggering automatic recategorization of posts. This flaw allows the attacker to change post categories.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate severity. The EPSS score of less than 1% suggests that exploitation is currently unlikely, and the vulnerability is not listed in CISA\u2019s KEV catalog. Nevertheless, the flaw can be exploited by any attacker who manages to deceive an authenticated administrator\u2014most likely through social engineering or a malicious link\u2014into opening a forged request. This attack vector relies only on the victim\u2019s authenticated session, making it a low\u2011effort but purely human\u2011centric method of attack."}}}}, "created": "2025-09-12T08:03:08.595886+00:00", "updated": "2026-04-22T22:15:26.360291+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}