Description
The ViaAds plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.2. This is due to missing nonce validation on the `ViaAds_pluginHandler` function. This makes it possible for unauthenticated attackers to modify the plugin's API key and cookie consent settings via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
Published: 2025-11-04
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized configuration change via CSRF
Action: Update plugin
AI Analysis

Impact

The ViaAds WordPress plugin allows an unauthenticated user to perform a Cross‑Site Request Forgery against the ViaAds_pluginHandler function due to missing nonce validation. This flaw lets an attacker change the plugin's API key and cookie consent settings if an administrator clicks a forged request. The attack results in an unauthorized configuration change that could affect data transfer or tracking on the site.

Affected Systems

The ViaAds plugin for WordPress, all releases up to and including version 2.1.2, is affected.

Risk and Exploitability

The CVSS score of 4.3 reflects a moderate risk, with exploitation requiring an attacker to convince an administrator to conduct a forged request. Because the EPSS score is less than 1%, the current probability of exploitation is low, and the vulnerability is not yet listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker must trick an admin into clicking a link to trigger the change.

Generated by OpenCVE AI on April 22, 2026 at 21:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the ViaAds plugin to a version newer than 2.1.2, which includes proper nonce validation.
  • Restrict access to WordPress administrative pages to trusted users and enable two‑factor authentication for admin accounts.
  • Verify that API key and cookie consent changes are protected by CSRF tokens; disable direct modification of the API key if it is not required.

Generated by OpenCVE AI on April 22, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Description The ViaAds plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.1. This is due to missing nonce validation on the `ViaAds_pluginHandler` function. This makes it possible for unauthenticated attackers to modify the plugin's API key and cookie consent settings via a forged request granted they can trick an administrator into performing an action such as clicking on a link. The ViaAds plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.2. This is due to missing nonce validation on the `ViaAds_pluginHandler` function. This makes it possible for unauthenticated attackers to modify the plugin's API key and cookie consent settings via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
Title ViaAds <= 2.1.1 - Cross-Site Request Forgery to API Key Update ViaAds <= 2.1.2 - Cross-Site Request Forgery to API Key Update
References

Tue, 04 Nov 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 04 Nov 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 04 Nov 2025 03:45:00 +0000

Type Values Removed Values Added
Description The ViaAds plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.1. This is due to missing nonce validation on the `ViaAds_pluginHandler` function. This makes it possible for unauthenticated attackers to modify the plugin's API key and cookie consent settings via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
Title ViaAds <= 2.1.1 - Cross-Site Request Forgery to API Key Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:32:25.505Z

Reserved: 2025-10-22T13:56:26.427Z

Link: CVE-2025-12070

cve-icon Vulnrichment

Updated: 2025-11-04T18:50:07.879Z

cve-icon NVD

Status : Deferred

Published: 2025-11-04T04:15:37.433

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12070

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T21:30:27Z

Weaknesses