Description
Cross-Site Request Forgery (CSRF) vulnerability in MetricThemes Munk Sites munk-sites allows Cross Site Request Forgery.This issue affects Munk Sites: from n/a through <= 1.0.7.
Published: 2025-02-07
Score: 9.6 Critical
EPSS: 1.2% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery flaw in the MetricThemes Munk Sites WordPress plugin that permits an attacker to trigger the plugin to install arbitrary WordPress plugins. Based on the description, it is inferred that an attacker could install a malicious plugin that runs with the site administrator's privileges, potentially enabling unauthorized code execution and compromising site integrity.

Affected Systems

WordPress sites running the MetricThemes Munk Sites plugin version 1.0.7 or earlier are affected. Any site administrator who can log into the WordPress admin dashboard and is not protected by additional CSRF defenses may be at risk.

Risk and Exploitability

The CVSS score of 9.6 places this vulnerability in the critical range, while an EPSS score of 1% indicates a low but non‑zero likelihood of exploitation. It is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attacker can exploit this remotely by tricking an authenticated administrator into clicking a crafted link or running a script that forces the plugin to install an arbitrary plugin.

Generated by OpenCVE AI on May 2, 2026 at 11:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the MetricThemes Munk Sites plugin to any release newer than 1.0.7.
  • If no update is available, deactivate or remove the Munk Sites plugin and replace it with a trusted alternative.
  • Install a reputable security plugin that enforces CSRF tokens and limits the "install plugin" capability to super‑administrators to prevent unauthorized installations.

Generated by OpenCVE AI on May 2, 2026 at 11:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4032 Cross-Site Request Forgery (CSRF) vulnerability in MetricThemes Munk Sites allows Cross Site Request Forgery. This issue affects Munk Sites: from n/a through 1.0.7.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in MetricThemes Munk Sites allows Cross Site Request Forgery. This issue affects Munk Sites: from n/a through 1.0.7. Cross-Site Request Forgery (CSRF) vulnerability in MetricThemes Munk Sites munk-sites allows Cross Site Request Forgery.This issue affects Munk Sites: from n/a through <= 1.0.7.
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Fri, 07 Feb 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 07 Feb 2025 10:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in MetricThemes Munk Sites allows Cross Site Request Forgery. This issue affects Munk Sites: from n/a through 1.0.7.
Title WordPress Munk Sites plugin <= 1.0.7 - CSRF to Arbitrary Plugin Installation vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:35.298Z

Reserved: 2025-02-03T13:34:30.656Z

Link: CVE-2025-25101

cve-icon Vulnrichment

Updated: 2025-02-07T14:54:12.542Z

cve-icon NVD

Status : Deferred

Published: 2025-02-07T10:15:15.670

Modified: 2026-04-23T15:25:35.670

Link: CVE-2025-25101

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T11:30:41Z

Weaknesses