CVE-2025-12413 - Vulnerability Details

- Social Media WPCF7 Stop Words <= 1.1.3 - Cross-Site Request Forgery to Settings Update

Description

The Social Media WPCF7 Stop Words plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.3. This is due to missing or incorrect nonce validation on the smWpCfSwOptions() function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published: 2025-11-04

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Social Media WPCF7 Stop Words plugin suffers from missing or incorrect nonce validation in its smWpCfSwOptions() function. An attacker who can trick a site administrator into submitting a request can change the plugin's settings and inject malicious web scripts. The impact is that the attacker gains execution capability within the website’s context without requiring any authentication beyond a forged request. CWE‑352"}

Affected Systems

All WordPress sites running the Social Media WPCF7 Stop Words plugin, version 1.1.3 or earlier. The vulnerability applies to any installation that has not upgraded beyond 1.1.3, affecting user accounts with administrator privileges who have access to the plugin’s settings page.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity, and the EPSS score of less than 1% suggests that exploitation is currently unlikely. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the attacker to lure an administrator into performing a forged action—most commonly a phishing link that triggers the plugin settings update without correct nonce verification. No additional prerequisites are noted beyond the ability to trick an admin user into clicking a malicious URL.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

socialmedialtd

WPCF7 Stop words

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.1.3

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Social Media WPCF7 Stop Words plugin to version 1.1.4 or newer, which includes proper nonce validation.
If an immediate update is not possible, disable or uninstall the plugin’s settings page until a patch is applied, ensuring that only trusted administrators can access configuration in the future.
Implement site‑wide Web Application Firewall rules to block POST requests lacking valid nonces for the plugin’s settings endpoint, and educate administrators to recognize phishing attempts that may trigger unauthorized requests.

Generated by OpenCVE AI on April 22, 2026 at 16:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00015.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/wpcf7-stop-words/tags/1.1.3/social-media-wpcf7-stop-words.php#L45
https://www.wordfence.com/threat-intel/vulnerabilities/id/27857a17-8cf0-40b3-894f-8dd7cf5108dd?source=cve

History

Tue, 04 Nov 2025 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 04 Nov 2025 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress
Vendors & Products		Wordpress Wordpress wordpress

Tue, 04 Nov 2025 04:45:00 +0000

Type	Values Removed	Values Added
Description		The Social Media WPCF7 Stop Words plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.3. This is due to missing or incorrect nonce validation on the smWpCfSwOptions() function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title		Social Media WPCF7 Stop Words <= 1.1.3 - Cross-Site Request Forgery to Settings Update
Weaknesses		CWE-352
References		https://plugins.trac.wordpress.org/browser/wpcf7-stop-words/tags/1.1.3/social-media-wpcf7-stop-words.php#L45 https://www.wordfence.com/threat-intel/vulnerabilities/id/27857a17-8cf0-40b3-894f-8dd7cf5108dd?source=cve
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}`

Subscriptions

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-11-04T04:27:14.981Z

Updated: 2026-04-08T16:42:56.439Z

Reserved: 2025-10-28T15:38:24.764Z

Link: CVE-2025-12413

Vulnrichment

Updated: 2025-11-04T21:00:00.898Z

NVD

Status : Deferred

Published: 2025-11-04T05:16:13.340

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12413

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T16:45:21Z

Weaknesses

CWE-352

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object