Description
The RateMyAgent Official plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.0. This is due to missing or incorrect nonce validation on the 'rma-settings-wizard'. This makes it possible for unauthenticated attackers to update the plugin's API key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-02-28
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: API key modification via CSRF
Action: Patch
AI Analysis

Impact

The vulnerability is a CSRF flaw in the RateMyAgent Official plugin for WordPress. The plugin’s rma‑settings‑wizard endpoint does not correctly validate or enforce nonces, allowing an attacker to trick an administrator into submitting a forged request that changes the plugin’s API key without authentication. If an attacker succeeds, the new key could grant them unauthorized access to services protected by that API key, potentially compromising sensitive data or allowing further exploitation. The weakness corresponds to CWE‑352.

Affected Systems

All installations of the RateMyAgent Official plugin for WordPress up to, and including, version 1.4.0 are affected. The flaw pertains to the rma‑settings‑wizard functionality and exists in every release of the plugin prior to the change that introduced proper nonce validation.

Risk and Exploitability

The CVSS base score is 4.3 and the EPSS score is less than 1 %, indicating a moderate severity with a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Successful exploitation requires the attacker to entice a legitimate site administrator to click a crafted link or submit a forged form, which is feasible in a social‑engineering context. Once the API key is altered, the attacker can potentially use it to interact with the external service, undermining confidentiality in that ecosystem. Because the attack vector relies on CSRF, it is limited to the site where the admin logs in and does not require prior compromise of the server or the plugin code itself.

Generated by OpenCVE AI on April 22, 2026 at 07:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest version of RateMyAgent Official.
  • If upgrading is not possible, disable the rma‑settings‑wizard endpoint or deactivate the plugin to block the API key update path.
  • Implement additional CSRF safeguards in WordPress admin, such as enforcing nonces or restricting cross‑origin requests.

Generated by OpenCVE AI on April 22, 2026 at 07:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5477 The RateMyAgent Official plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.0. This is due to missing or incorrect nonce validation on the 'rma-settings-wizard'. This makes it possible for unauthenticated attackers to update the plugin's API key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Thu, 06 Mar 2025 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Ratemyagent
Ratemyagent ratemyagent
CPEs cpe:2.3:a:ratemyagent:ratemyagent:*:*:*:*:*:wordpress:*:*
Vendors & Products Ratemyagent
Ratemyagent ratemyagent

Tue, 04 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 28 Feb 2025 04:45:00 +0000

Type Values Removed Values Added
Description The RateMyAgent Official plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.0. This is due to missing or incorrect nonce validation on the 'rma-settings-wizard'. This makes it possible for unauthenticated attackers to update the plugin's API key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title RateMyAgent Official <= 1.4.0 - Cross-Site Request Forgery to API Key Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Ratemyagent Ratemyagent
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:17:10.320Z

Reserved: 2025-01-28T14:45:28.388Z

Link: CVE-2025-0801

cve-icon Vulnrichment

Updated: 2025-02-28T15:13:57.316Z

cve-icon NVD

Status : Analyzed

Published: 2025-02-28T05:15:33.683

Modified: 2025-03-06T20:21:36.547

Link: CVE-2025-0801

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T07:15:11Z

Weaknesses