Description
The Rabbit Hole plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the plugin's reset functionality. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The vulnerability is exacerbated by the fact that the reset operation is performed via a GET request, making exploitation trivial via image tags or hyperlinks.
Published: 2025-12-12
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-Site Request Forgery allowing an unauthenticated attacker to reset the Rabbit Hole plugin settings
Action: Apply Patch
AI Analysis

Impact

The Rabbit Hole WordPress plugin suffers from a Cross‑Site Request Forgery flaw caused by missing or incorrect nonce validation on its reset function. An attacker can craft a simple GET request, such as an image tag or hyperlink, that forces a logged‑in site administrator to reset the plugin’s configuration. The resulting action may compromise the site’s security posture or operation by restoring default settings, disabling monitoring features, or exposing sensitive data changes.

Affected Systems

All installations of Rabbit Hole for WordPress with version 1.1 or earlier, distributed by frapesce. The vulnerability applies to any WordPress site that has this plugin active and an administrator accounts with resetting privileges.

Risk and Exploitability

With a CVSS score of 4.3 the flaw is considered low‑to‑moderate severity, but its exploitation is trivial because the malicious URL can be embedded in an image or link. The EPSS score is under 1%, indicating a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is the web (network) and requires an attacker to persuade a site administrator to click a crafted link. Once triggered, the reset is performed via a GET request, making the exploit straightforward but limited to the administrator’s session.

Generated by OpenCVE AI on April 21, 2026 at 00:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Rabbit Hole to a version that includes the CSRF fix or entire plugin update
  • Restrict the reset endpoint to POST requests and ensure it verifies a valid nonce before executing
  • Deploy a WordPress security plugin such as Wordfence to monitor and block suspicious request patterns

Generated by OpenCVE AI on April 21, 2026 at 00:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Dec 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Dec 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 12 Dec 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Rabbit Hole plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the plugin's reset functionality. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The vulnerability is exacerbated by the fact that the reset operation is performed via a GET request, making exploitation trivial via image tags or hyperlinks.
Title Rabbit Hole <= 1.1 - Cross-Site Request Forgery to Settings Reset
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:31:04.169Z

Reserved: 2025-11-18T17:14:15.435Z

Link: CVE-2025-13366

cve-icon Vulnrichment

Updated: 2025-12-18T20:38:38.398Z

cve-icon NVD

Status : Deferred

Published: 2025-12-12T04:15:41.663

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13366

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T01:00:12Z

Weaknesses