Description
The IndieAuth plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.4. This is due to missing nonce verification on the `login_form_indieauth()` function and the authorization endpoint at wp-login.php?action=indieauth. This makes it possible for unauthenticated attackers to force authenticated users to approve OAuth authorization requests for attacker-controlled applications via a forged request granted they can trick a user into performing an action such as clicking on a link or visiting a malicious page while logged in. The attacker can then exchange the stolen authorization code for an access token, effectively taking over the victim's account with the granted scopes (create, update, delete).
Published: 2025-10-24
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Account Takeover via OAuth Token
Action: Immediate Patch
AI Analysis

Impact

The IndieAuth WordPress plugin is vulnerable to Cross‑Site Request Forgery due to missing nonce verification in the login_form_indieauth() function and the authorization endpoint. Unauthenticated attackers can force a logged‑in user to approve OAuth requests for attacker‑controlled applications. Once the victim authorises, the attacker can exchange the obtained authorization code for an access token and gain full control of the victim's account with scopes that allow creating, updating, and deleting content. The vulnerability is a classic example of authentication bypass leading to account takeover.

Affected Systems

Vendors affected are indieweb:IndieAuth. All releases of the IndieAuth plugin for WordPress up to and including version 4.5.4 are impacted. WordPress sites running any of these plugin versions are at risk, regardless of the site’s WordPress core version.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity. The EPSS score of less than 1% suggests a low probability of exploitation in the current landscape, but the fact that it is not listed in CISA’s KEV catalog does not diminish the need for a quick response. Exploitation requires only social engineering to lure the target user to a crafted link or page while they are logged in; the attacker does not need site credentials. Once the forged request is processed, the attacker receives an access token and effectively takes over the user’s account. Because the scope of the token can include full CRUD rights, the impact can be destructive to site content.

Generated by OpenCVE AI on April 22, 2026 at 12:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest IndieAuth plugin version (≥4.5.5) to eliminate the CSRF flaw.
  • If an immediate upgrade is not possible, block or restrict the wp-login.php?action=indieauth endpoint to known clients or use a firewall rule to prevent unauthenticated CSRF requests.
  • Enable multi‑factor authentication for all WordPress accounts to add a second layer of protection.

Generated by OpenCVE AI on April 22, 2026 at 12:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Mon, 27 Oct 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 24 Oct 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 24 Oct 2025 08:30:00 +0000

Type Values Removed Values Added
Description The IndieAuth plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.4. This is due to missing nonce verification on the `login_form_indieauth()` function and the authorization endpoint at wp-login.php?action=indieauth. This makes it possible for unauthenticated attackers to force authenticated users to approve OAuth authorization requests for attacker-controlled applications via a forged request granted they can trick a user into performing an action such as clicking on a link or visiting a malicious page while logged in. The attacker can then exchange the stolen authorization code for an access token, effectively taking over the victim's account with the granted scopes (create, update, delete).
Title IndieAuth <= 4.5.4 - Cross-Site Request Forgery to Account Takeover via Stolen OAuth Tokens
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:48:58.505Z

Reserved: 2025-10-21T15:30:05.581Z

Link: CVE-2025-12028

cve-icon Vulnrichment

Updated: 2025-10-24T12:12:28.881Z

cve-icon NVD

Status : Deferred

Published: 2025-10-24T09:15:44.367

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12028

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:15:16Z

Weaknesses