Description
The TopBar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the fme_nb_topbar_save_settings() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-10-15
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery enabling unauthenticated plugin settings modification
Action: Patch
AI Analysis

Impact

This vulnerability arises from missing or incorrect nonce validation in the TopBar plugin’s settings save function. Because a nonce is not checked, an attacker can construct a forged request that, when performed by a site administrator, changes the plugin’s configuration. The flaw is a classic CSRF weakness identified as CWE‑352 and permits modification of configuration without authentication.

Affected Systems

The issue exists in all releases of the TopBar WordPress plugin up to and including version 1.0.0, distributed under the fmeaddons TopBar package. No other vendors or products are listed as affected.

Risk and Exploitability

The CVSS score of 4.3 places the vulnerability in the low to moderate range, while the EPSS score of <1% indicates a very low probability of exploitation. The attack requires an unauthenticated attacker to coerce an administrator into visiting a crafted link or form, making it a social‑engineering type threat. The vulnerability is not listed in CISA’s KEV catalog.

Generated by OpenCVE AI on April 22, 2026 at 13:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the TopBar plugin to the latest release that adds proper nonce validation for settings updates.
  • If a quick upgrade is not possible, temporarily disable the settings update endpoint or enforce a custom nonce check by editing the plugin’s admin file or applying an .htaccess rule that blocks requests lacking the required nonce value.
  • Apply a site‑wide CSRF mitigation such as a security plugin or CSP that forces nonce validation on all state‑changing requests to ensure future changes cannot be performed without a valid token.

Generated by OpenCVE AI on April 22, 2026 at 13:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Oct 2025 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 15 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Oct 2025 08:45:00 +0000

Type Values Removed Values Added
Description The TopBar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the fme_nb_topbar_save_settings() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title TopBar <= 1.0.0 - Cross-Site Request Forgery to Settings Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:06:21.479Z

Reserved: 2025-09-11T21:07:45.739Z

Link: CVE-2025-10300

cve-icon Vulnrichment

Updated: 2025-10-15T14:31:06.207Z

cve-icon NVD

Status : Deferred

Published: 2025-10-15T09:15:39.400

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10300

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:15:17Z

Weaknesses