{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9633", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-28T20:02:32.658Z", "datePublished": "2025-09-11T07:25:03.959Z", "dateUpdated": "2026-04-08T17:34:27.471Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:34:27.471Z"}, "affected": [{"vendor": "shawfactor", "product": "LH Signing", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.83", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The LH Signing plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.83. This is due to missing or incorrect nonce validation on the plugin_options function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "LH Signing <= 2.83 - Cross-Site Request Forgery", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fadd7934-bdd9-47e9-bd34-d162ff3b7cd4?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/lh-signing/trunk/lh-signing.php#L1886"}, {"url": "https://plugins.trac.wordpress.org/browser/lh-signing/trunk/partials/option-settings.php#L3"}, {"url": "https://plugins.trac.wordpress.org/browser/lh-signing/trunk/lh-signing.php#L1870"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "timeline": [{"time": "2025-09-10T18:43:52.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-11T13:31:27.065560Z", "id": "CVE-2025-9633", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-11T14:36:46.637Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9633", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-11T13:31:27.065560Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-11T13:31:29.270Z"}}], "cna": {"title": "LH Signing <= 2.83 - Cross-Site Request Forgery", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "shawfactor", "product": "LH Signing", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.83"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-10T18:43:52.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fadd7934-bdd9-47e9-bd34-d162ff3b7cd4?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/lh-signing/trunk/lh-signing.php#L1886"}, {"url": "https://plugins.trac.wordpress.org/browser/lh-signing/trunk/partials/option-settings.php#L3"}, {"url": "https://plugins.trac.wordpress.org/browser/lh-signing/trunk/lh-signing.php#L1870"}], "descriptions": [{"lang": "en", "value": "The LH Signing plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.83. This is due to missing or incorrect nonce validation on the plugin_options function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-09-11T07:25:03.959Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9633", "state": "PUBLISHED", "dateUpdated": "2025-09-11T14:36:46.637Z", "dateReserved": "2025-08-28T20:02:32.658Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-11T07:25:03.959Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The LH Signing plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.83. This is due to missing or incorrect nonce validation on the plugin_options function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-9633", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-11T08:15:38.360", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/lh-signing/trunk/lh-signing.php#L1870"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/lh-signing/trunk/lh-signing.php#L1886"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/lh-signing/trunk/partials/option-settings.php#L3"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fadd7934-bdd9-47e9-bd34-d162ff3b7cd4?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T21:48:46.768192+00:00", "value": {"mitigation_remediation": ["Upgrade the LH Signing plugin to the latest available version (2.84 or later) so that the nonce validation bug is fixed.", "If the update cannot be applied immediately, disable or delete the plugin from the site to eliminate the attack surface until a patch is released.", "As a temporary measure for sites that must continue using the old plugin, modify the plugin code to add proper nonce checks to the plugin_options handler or restrict access to this handler so that only authenticated administrators can invoke it."], "summary": {"action": "Patch or Workaround", "impact": "Cross\u2011Site Request Forgery"}, "threat_synthesis": {"affected_systems": "WordPress sites that use the LH Signing plugin version 2.83 or earlier are affected. The plugin, developed by shawfactor, is included in the plugin repository and can be installed on any WordPress instance where site administrators manage it.", "description_and_impact": "The LH Signing WordPress plugin is vulnerable to Cross\u2011Site Request Forgery because the plugin_options function fails to validate a nonce on every request. An attacker who can trick an administrator into executing a forged request can modify any of the plugin\u2019s settings. This change could be used to alter the plugin\u2019s behavior, potentially weakening site security or redirecting traffic. The type of weakness is identified as CWE\u2011352, reflecting a failure to verify an attacker\u2019s intent.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate level of severity, while the EPSS score of less than 1% suggests a very low exploitation probability at the time of analysis. The vulnerability is not listed in CISA\u2019s KEV catalog, further indicating that no widespread or known exploits are in circulation. The likely attack vector is Cross\u2011Site Request Forgery; a malicious actor would need to persuade an administrator to click a crafted link or visit a malicious page that submits a forged POST request to the plugin_options endpoint. Because the flaw affects unauthenticated requests that are then executed under the privileges of the admin user, the impact is confined to those privileged users\u2014but once the plugin settings are altered, the attacker could gain broader influence over the site\u2019s operation."}}}}, "created": "2025-09-12T08:03:08.287933+00:00", "updated": "2026-04-20T22:00:11.181649+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}