{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9945", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-03T13:09:19.764Z", "datePublished": "2025-10-03T11:17:13.929Z", "dateUpdated": "2026-04-08T16:57:37.492Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:57:37.492Z"}, "affected": [{"vendor": "aryadhiratara", "product": "Optimize More! \u2013 CSS", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Optimize More! \u2013 CSS plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing or incorrect nonce validation on the reset_plugin function. This makes it possible for unauthenticated attackers to reset the plugin's optimization settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Optimize More! \u2013 CSS <= 1.0.3 - Cross-Site Request Forgery to Plugin Settings Reset", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/64aadd20-a831-4550-b68d-827722a35c0f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/optimize-more-css/trunk/includes/classes/Settings.php#L216"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "timeline": [{"time": "2025-10-02T22:32:49.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-03T14:57:29.613979Z", "id": "CVE-2025-9945", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-03T14:57:35.436Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9945", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-03T14:57:29.613979Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-03T14:57:32.839Z"}}], "cna": {"title": "Optimize More! \u2013 CSS <= 1.0.3 - Cross-Site Request Forgery to Plugin Settings Reset", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "aryadhiratara", "product": "Optimize More! \u2013 CSS", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-02T22:32:49.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/64aadd20-a831-4550-b68d-827722a35c0f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/optimize-more-css/trunk/includes/classes/Settings.php#L216"}], "descriptions": [{"lang": "en", "value": "The Optimize More! \u2013 CSS plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing or incorrect nonce validation on the reset_plugin function. This makes it possible for unauthenticated attackers to reset the plugin's optimization settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:57:37.492Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9945", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:57:37.492Z", "dateReserved": "2025-09-03T13:09:19.764Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-03T11:17:13.929Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Optimize More! \u2013 CSS plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing or incorrect nonce validation on the reset_plugin function. This makes it possible for unauthenticated attackers to reset the plugin's optimization settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-9945", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-03T12:15:50.817", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/optimize-more-css/trunk/includes/classes/Settings.php#L216"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/64aadd20-a831-4550-b68d-827722a35c0f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T02:36:39.986682+00:00", "value": {"mitigation_remediation": ["If an update to the plugin is available that removes the CSRF flaw, upgrade to the latest version immediately.", "Verify that the reset_plugin action is inaccessible from the front\u2011end or disable it via code or a filter so that only users with the \u2018manage_options\u2019 capability can trigger a reset.", "Educate site administrators to recognize and avoid suspicious URLs and to verify the source of safety-critical actions before clicking them.", "Consider deploying a security plugin that enforces CSRF protection on sensitive admin operations."], "summary": {"action": "Monitor", "impact": "Unauthorized configuration reset via CSRF"}, "threat_synthesis": {"affected_systems": "WordPress sites running the Optimize\u202fMore!\u202f\u2013\u202fCSS plugin, version\u202f1.0.3 or earlier. Any WordPress installation that has installed this plugin and has an administrator account that can be social\u2011engineered is at risk.", "description_and_impact": "The Optimize\u202fMore!\u202f\u2013\u202fCSS plugin is vulnerable to Cross\u2011Site Request Forgery because the reset_plugin function does not perform correct nonce validation. An attacker who can trick a WordPress site administrator into clicking a crafted link can cause the plugin\u2019s optimization settings to be reset to their defaults. This results in configuration tampering that can degrade site performance and potentially expose the site to further misconfiguration attacks. The weakness is a classic Cross\u2011Site Request Forgery flaw (CWE\u2011352).", "risk_and_exploitability": "The CVSS score of 4.3 reflects a moderate severity. The EPSS score of less than 1% shows a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an unauthenticated attacker to obtain administrative interaction, typically through a phishing or social\u2011engineering vector directed at a site administrator. Once the admin executes the forged request, the plugin\u2019s settings are reset, which is a non\u2011destructive but disruptive change that may lead to increased resource usage or other indirect impacts."}}}}, "created": "2025-10-06T14:43:06.071574+00:00", "updated": "2026-04-21T02:45:25.944879+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}