Description
The Reuters Direct plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.0. This is due to missing or incorrect nonce validation on the the 'class-reuters-direct-settings.php' page. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-11-27
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated attackers can reset the Reuters Direct plugin settings via CSRF, potentially disrupting site configuration and operations
Action: Assess Impact
AI Analysis

Impact

The Reuters Direct plugin for WordPress suffers from a missing or incorrectly implemented nonce check on its settings page, enabling a cross‑site request forgery attack. An unauthenticated attacker can craft a forged request that, when a site administrator clicks a link or performs an action, forces the plugin to reset its configuration to defaults. This vulnerability does not allow code execution but can lead to unintended configuration changes that may impair the site’s functionality.

Affected Systems

The vulnerability affects all versions of the Reuters Direct plugin for WordPress up to and including 3.0.0.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate risk. The EPSS score of less than 1% suggests a very low likelihood of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Likely attack vectors involve social engineering whereby an attacker induces an administrator to click a malicious link; this requires the target to be logged into the admin interface and does not require any additional privileges.

Generated by OpenCVE AI on April 22, 2026 at 21:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Reuters Direct plugin to the latest available version that addresses the CSRF issue.
  • Restrict access to the WordPress administration area to trusted IP addresses or enforce two‑factor authentication to reduce the chance that an administrator follows a malicious link.
  • Add or restore proper nonce validation on the plugin’s settings page, or patch the source code to enforce CSRF protection.

Generated by OpenCVE AI on April 22, 2026 at 21:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 28 Nov 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 27 Nov 2025 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 27 Nov 2025 03:00:00 +0000

Type Values Removed Values Added
Description The Reuters Direct plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.0. This is due to missing or incorrect nonce validation on the the 'class-reuters-direct-settings.php' page. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Reuters Direct <= 3.0.0 - Cross-Site Request Forgery to Settings Reset
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:35:30.304Z

Reserved: 2025-10-31T21:11:34.927Z

Link: CVE-2025-12578

cve-icon Vulnrichment

Updated: 2025-11-28T14:39:43.194Z

cve-icon NVD

Status : Deferred

Published: 2025-11-27T03:15:57.150

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12578

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T21:15:27Z

Weaknesses