{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9891", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-02T22:59:56.638Z", "datePublished": "2025-09-17T01:53:14.331Z", "dateUpdated": "2026-04-08T16:59:00.382Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:59:00.382Z"}, "affected": [{"vendor": "cyberlord92", "product": "User Sync", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The User Sync \u2013 Remote User Sync plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the mo_user_sync_form_handler() function. This makes it possible for unauthenticated attackers to deactivate the plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "User Sync \u2013 Remote User Sync <= 1.0.2 - Cross-Site Request Forgery to Plugin Deactivation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6b60777e-6e07-42bd-9364-43367e209227?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/user-sync/tags/1.0.1/mo-user-sync-main.php#L118"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3360328%40user-sync&new=3360328%40user-sync&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "timeline": [{"time": "2025-09-16T13:49:44.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-17T13:09:20.554042Z", "id": "CVE-2025-9891", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-17T13:09:26.021Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9891", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-17T13:09:20.554042Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-17T13:09:22.438Z"}}], "cna": {"title": "User Sync \u2013 Remote User Sync <= 1.0.2 - Cross-Site Request Forgery to Plugin Deactivation", "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "cyberlord92", "product": "User Sync", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-16T13:49:44.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6b60777e-6e07-42bd-9364-43367e209227?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/user-sync/tags/1.0.1/mo-user-sync-main.php#L118"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3360328%40user-sync&new=3360328%40user-sync&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The User Sync \u2013 Remote User Sync plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the mo_user_sync_form_handler() function. This makes it possible for unauthenticated attackers to deactivate the plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:59:00.382Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9891", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:59:00.382Z", "dateReserved": "2025-09-02T22:59:56.638Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-17T01:53:14.331Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The User Sync \u2013 Remote User Sync plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the mo_user_sync_form_handler() function. This makes it possible for unauthenticated attackers to deactivate the plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-9891", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-17T02:15:34.003", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/user-sync/tags/1.0.1/mo-user-sync-main.php#L118"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3360328%40user-sync&new=3360328%40user-sync&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6b60777e-6e07-42bd-9364-43367e209227?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T02:52:58.282243+00:00", "value": {"mitigation_remediation": ["Upgrade the User Sync \u2013 Remote User Sync plugin to a version newer than 1.0.2, which includes proper nonce validation to block CSRF requests.", "If an immediate upgrade is not possible, deactivate or uninstall the plugin to eliminate the attack vector altogether.", "Train site administrators to recognize and avoid suspicious links, and consider installing a WordPress security plugin that logs or blocks suspicious nonce activity for added protection."], "summary": {"action": "Patch", "impact": "Cross\u2011Site Request Forgery enabling plugin deactivation"}, "threat_synthesis": {"affected_systems": "The affected system is the WordPress plugin User Sync \u2013 Remote User Sync from vendor cyberlord92. All releases up to and including version 1.0.2 are vulnerable; newer releases are not listed as affected.", "description_and_impact": "The vulnerability in the User Sync \u2013 Remote User Sync plugin stems from a missing or incorrect nonce validation in the mo_user_sync_form_handler() function. Because the plugin fails to verify a request nonce, an attacker can craft a forged request that the system will accept as legitimate. This flaw allows an unauthenticated attacker\u2014provided they can convince a site administrator to click a malicious link\u2014to deactivate the plugin, resulting in loss of remote user synchronization and any services that depend on it. The weakness is a classic Cross\u2011Site Request Forgery flaw, classified as CWE\u2011352, which permits execution of privileged actions without proper authentication.", "risk_and_exploitability": "The CVSS score of 4.3 places this issue in the moderate range, and the EPSS score of less than 1% indicates an extremely low likelihood of exploitation. The vulnerability is not included in CISA\u2019s KEV catalog. Exploitation requires an attacker to deceive a site administrator into opening a crafted link, so social engineering is the primary prerequisite. While the exploitation probability is low, the potential denial of remote user synchronization could disrupt business operations, warranting a prompt patch."}}}}, "created": "2025-09-17T10:04:03.388936+00:00", "updated": "2026-04-21T03:00:06.377352+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}