CVE-2025-12827 - Vulnerability Details

- Top Friends <= 0.3 - Cross-Site Request Forgery to Settings Update

Description

The Top Friends plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.3. This is due to missing nonce validation on the top_friends_options_subpanel() function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published: 2025-11-18

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Top Friends plugin for WordPress contains a Cross‑Site Request Forgery vulnerability in all releases up to and including version 0.3. The flaw stems from missing nonce validation in the top_friends_options_subpanel() function, which allows an unauthenticated attacker to send a forged request that will be accepted by the plugin. Because the affected function updates plugin options, a successful exploit can silently change configuration values that may alter site behavior, compromise user data, or enable other downstream attacks. The weakness is identified as CWE-352, a classic CSRF flaw.

Affected Systems

All WordPress sites that have the Top Friends plugin installed – specifically any version up to and including 0.3. The plugin is distributed by the author denishua and is included in the official WordPress plugin repository.

Risk and Exploitability

The CVSS score of 4.3 places this vulnerability in the moderate severity range. The EPSS score of less than 1% indicates that active exploitation is currently very unlikely. The vulnerability is not listed in the CISA KEV catalog, so no known exploits are publicly documented at this time. The likely attack vector is an unauthenticated attacker crafting a malicious link that an unsuspecting site administrator clicks, triggering the forged POST or GET request to the plugin's settings page. Because the request bypasses nonce checks, the settings can be altered without detection.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

denishua

Top Friends

unaffected

Version	Status	Constraints
`0`	affected	≤ 0.3

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Top Friends plugin to the latest available version that includes nonce validation and removes the CSRF vector.
If an update cannot be applied immediately, deactivate or delete the Top Friends plugin from the WordPress installation to eliminate the attack surface.
For environments where the plugin must remain active temporarily, implement temporary custom code or a security plugin that enforces nonce checks on the plugin's settings page, ensuring that only valid requests are processed.

Generated by OpenCVE AI on April 21, 2026 at 18:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/top-friends/tags/0.3/top-friends.php#L155
https://www.wordfence.com/threat-intel/vulnerabilities/id/8165196d-0117-473f-8ccf-57ffd3e08e16?source=cve

History

Tue, 18 Nov 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 18 Nov 2025 14:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress
Vendors & Products		Wordpress Wordpress wordpress

Tue, 18 Nov 2025 08:45:00 +0000

Type	Values Removed	Values Added
Description		The Top Friends plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.3. This is due to missing nonce validation on the top_friends_options_subpanel() function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title		Top Friends <= 0.3 - Cross-Site Request Forgery to Settings Update
Weaknesses		CWE-352
References		https://plugins.trac.wordpress.org/browser/top-friends/tags/0.3/top-friends.php#L155 https://www.wordfence.com/threat-intel/vulnerabilities/id/8165196d-0117-473f-8ccf-57ffd3e08e16?source=cve
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}`

Subscriptions

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-11-18T08:27:33.413Z

Updated: 2026-04-08T17:03:44.430Z

Reserved: 2025-11-06T19:15:04.869Z

Link: CVE-2025-12827

Vulnrichment

Updated: 2025-11-18T14:40:24.116Z

NVD

Status : Deferred

Published: 2025-11-18T09:15:49.287

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12827

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T18:30:27Z

Weaknesses

CWE-352

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object