Description
The ContentStudio plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.7. This is due to missing or insufficient nonce validation on the add_cstu_settings function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-12-05
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery allowing unauthorized modification of plugin settings
Action: Immediate Patch
AI Analysis

Impact

The vulnerability occurs because the ContentStudio plugin for WordPress fails to validate a nonce in its add_cstu_settings function, enabling Cross‑Site Request Forgery. Unauthenticated attackers can forge a request that a site administrator might click, thereby altering plugin configuration without needing to log in. The weakness is identified as CWE‑352.

Affected Systems

The issue affects the ContentStudio plugin for WordPress for all versions up to and including version 1.3.7. Users running these or older releases are vulnerable. No other products are listed as impacted.

Risk and Exploitability

The CVSS score of 4.3 indicates a medium severity and the EPSS score of less than 1% suggests a low probability of exploitation at the time of assessment. The vulnerability is not listed in the CISA KEV catalog, implying no known widespread exploitation. Attackers can leverage this flaw by crafting a forged link that an administrator might click, thus exploiting the lack of nonce validation.

Generated by OpenCVE AI on April 22, 2026 at 20:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the ContentStudio plugin to a version newer than 1.3.7, where nonce validation is implemented for settings updates.
  • If an immediate update is not possible, deploy a web application firewall rule to block or monitor HTTP requests to the settings endpoint that lack a valid nonce token.
  • Implement strict administrative access controls, limiting who can view and change plugin settings, and regularly audit the settings for unexpected changes.

Generated by OpenCVE AI on April 22, 2026 at 20:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
References

Fri, 05 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Dec 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Contentstudio
Contentstudio contentstudio
Wordpress
Wordpress wordpress
Vendors & Products Contentstudio
Contentstudio contentstudio
Wordpress
Wordpress wordpress

Fri, 05 Dec 2025 05:45:00 +0000

Type Values Removed Values Added
Description The ContentStudio plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.7. This is due to missing or insufficient nonce validation on the add_cstu_settings function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title ContentStudio <= 1.3.7 - Cross-Site Request Forgery to Settings Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Contentstudio Contentstudio
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:33:09.655Z

Reserved: 2025-11-13T19:01:00.718Z

Link: CVE-2025-13144

cve-icon Vulnrichment

Updated: 2025-12-05T15:44:31.652Z

cve-icon NVD

Status : Deferred

Published: 2025-12-05T06:16:07.400

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13144

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T21:00:06Z

Weaknesses