Description
The Homerunner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.30. This is due to missing or incorrect nonce validation on the main_settings() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-06-26
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized configuration change via CSRF
Action: Patch
AI Analysis

Impact

The Homerunner plugin for WordPress contains a cross‑site request forgery flaw caused by missing or incorrect nonce validation in the main_settings() function. Because the plugin accepts configuration changes without verifying a valid authentication token, an unauthenticated attacker can forge a request that causes an administrator to unintentionally submit a settings update. The result is unauthorized modification of plugin configuration, which can alter site behavior or expose sensitive options. This weakness aligns with CWE-352.

Affected Systems

The vulnerability is present in every release of the Homerunner plugin up to and including version 1.0.30. Any WordPress site that has installed these versions, provided by the vendor coolrunner, is affected. The attack surface is limited to the plugin’s settings page, but the impact can be felt across the entire WordPress installation if the changed settings influence core functionality or security.

Risk and Exploitability

The CVSS base score of 4.3 indicates moderate severity, and the EPSS score of less than 1 % suggests a low likelihood of exploitation at the time of this assessment. The vulnerability is not listed in the CISA KEV catalog, further implying no widespread, weaponized use. Nevertheless, because the flaw requires a simple forged request and only an administrator’s interaction to succeed, a site that has the plugin active represents a moderate risk that should be addressed by applying the available fix promptly.

Generated by OpenCVE AI on April 21, 2026 at 20:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Homerunner plugin to version 1.0.31 or later.
  • If the plugin is not essential, uninstall or disable it to eliminate the vulnerability.
  • Configure a web application firewall to detect and block CSRF requests targeting the plugin’s settings endpoint.

Generated by OpenCVE AI on April 21, 2026 at 20:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28695 The Homerunner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.29. This is due to missing or incorrect nonce validation on the main_settings() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description The Homerunner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.29. This is due to missing or incorrect nonce validation on the main_settings() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The Homerunner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.30. This is due to missing or incorrect nonce validation on the main_settings() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Homerunner <= 1.0.29 - Cross-Site Request Forgery to Settings Update Homerunner <= 1.0.30 - Cross-Site Request Forgery to Settings Update
References

Mon, 07 Jul 2025 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Coolrunner
Coolrunner homerunner
CPEs cpe:2.3:a:coolrunner:homerunner:*:*:*:*:*:wordpress:*:*
Vendors & Products Coolrunner
Coolrunner homerunner

Thu, 26 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Jun 2025 03:00:00 +0000

Type Values Removed Values Added
Description The Homerunner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.29. This is due to missing or incorrect nonce validation on the main_settings() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Homerunner <= 1.0.29 - Cross-Site Request Forgery to Settings Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Coolrunner Homerunner Homerunner Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:46:13.806Z

Reserved: 2025-06-09T15:05:07.647Z

Link: CVE-2025-5932

cve-icon Vulnrichment

Updated: 2025-06-26T13:24:32.080Z

cve-icon NVD

Status : Modified

Published: 2025-06-26T03:15:25.110

Modified: 2026-04-08T18:24:58.637

Link: CVE-2025-5932

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T20:15:44Z

Weaknesses