Description
The Peer Publish plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the website management pages. This makes it possible for unauthenticated attackers to add, modify, or delete website configurations via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
Published: 2025-11-25
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery that permits unauthenticated modification of WordPress site configurations when an administrator clicks a forged link
Action: Immediate Patching
AI Analysis

Impact

The Peer Publish plugin suffers from a CSRF flaw due to missing nonce validation on its admin pages. When an attacker can lunge an authenticated administrator into clicking a crafted link, the admin can add, change, or delete website configuration settings without entering any credentials. This flaw enables an attacker to alter or destroy site setup information that could affect multiple hosted sites.

Affected Systems

All installations of the Peer Publish WordPress plugin version 1.0 and earlier. The vulnerability resides in the website management admin pages accessed by site administrators.

Risk and Exploitability

With a CVSS score of 4.3, the flaw is classified as moderate severity. The EPSS score of less than 1% indicates a low probability of exploitation at present, and the vulnerability is not in the CISA KEV catalog. Exploitation requires that an administrator be tricked into executing a forged request while an authenticated session is active; otherwise, the request is rejected due to the absence of a nonce.

Generated by OpenCVE AI on April 21, 2026 at 01:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Peer Publish plugin update, any version above 1.0, which removes the CSRF vulnerability
  • If an update cannot be deployed immediately, disable or secure the website management pages or block access to them for unauthenticated or non‑admin users
  • Implement or enforce WordPress nonce checks on all forms handling configuration changes to ensure every state‑changing request is validated

Generated by OpenCVE AI on April 21, 2026 at 01:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 26 Nov 2025 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Webgarh
Webgarh peer Publish
Wordpress
Wordpress wordpress
Vendors & Products Webgarh
Webgarh peer Publish
Wordpress
Wordpress wordpress

Tue, 25 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 25 Nov 2025 07:45:00 +0000

Type Values Removed Values Added
Description The Peer Publish plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the website management pages. This makes it possible for unauthenticated attackers to add, modify, or delete website configurations via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
Title Peer Publish <= 1.0 - Cross-Site Request Forgery
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Webgarh Peer Publish
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:35:27.058Z

Reserved: 2025-10-31T22:27:24.251Z

Link: CVE-2025-12587

cve-icon Vulnrichment

Updated: 2025-11-25T14:23:48.687Z

cve-icon NVD

Status : Deferred

Published: 2025-11-25T08:15:48.913

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12587

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T01:30:24Z

Weaknesses