Description
The Disable Content Editor For Specific Template plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0. This is due to missing nonce validation on template configuration updates. This makes it possible for unauthenticated attackers to add or delete template configurations via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
Published: 2025-10-24
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery
Action: Patch Plugin
AI Analysis

Impact

The Disable Content Editor For Specific Template plugin for WordPress is vulnerable to Cross‑Site Request Forgery through an omission of nonce validation when a template configuration is updated. An unauthenticated attacker can cause an administrator to unintentionally add or delete template configuration entries by sending a forged request, such as a malicious link, that the admin follows. This change to configuration can alter how content is displayed or managed on the site without the admin’s consent.

Affected Systems

The vulnerability affects the WordPress plugin "Disable Content Editor For Specific Template" produced by the vendor mynamevenu24, for all releases up to and including version 2.0. No other product versions are listed as affected.

Risk and Exploitability

The CVSS score of 4.3 categorizes this risk as moderate, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an attacker to entice an administrator into clicking a crafted URL or otherwise submitting a forged request, making the attack vector social‑engineering or phishing based. Based solely on the information provided, the exploitation can be carried out by an unauthenticated actor who successfully deceives an admin to trigger the template configuration update.

Generated by OpenCVE AI on April 22, 2026 at 21:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to a version newer than 2.0 if one is available, ensuring that nonce validation is implemented for configuration changes.
  • If an update is not available or delayed, uninstall or deactivate the plugin to prevent the vulnerable functionality from being used.
  • Implement additional safeguards such as two‑factor authentication for administrator accounts and carefully review any external links in emails or on the site to reduce the risk of a phishing click that could trigger the CSRF.

Generated by OpenCVE AI on April 22, 2026 at 21:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Oct 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 24 Oct 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Oct 2025 08:30:00 +0000

Type Values Removed Values Added
Description The Disable Content Editor For Specific Template plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0. This is due to missing nonce validation on template configuration updates. This makes it possible for unauthenticated attackers to add or delete template configurations via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
Title Disable Content Editor For Specific Template <= 2.0 - Cross-Site Request Forgery to Template Configuration Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:42:10.290Z

Reserved: 2025-10-22T14:07:11.906Z

Link: CVE-2025-12072

cve-icon Vulnrichment

Updated: 2025-10-24T16:39:58.394Z

cve-icon NVD

Status : Deferred

Published: 2025-10-24T09:15:44.733

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12072

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T22:00:18Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)