Description
Cross-Site Request Forgery (CSRF) vulnerability in Tusko Trush Advanced Custom Fields : CPT Options Pages acf-cpt-options-pages allows Object Injection.This issue affects Advanced Custom Fields : CPT Options Pages: from n/a through <= 2.0.9.
Published: 2025-10-22
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CVE describes a Cross‑Site Request Forgery flaw in the Tusko Trush Advanced Custom Fields : CPT Options Pages plugin that enables an attacker to inject arbitrary objects into the WordPress backend. The injected objects could alter plugin configuration or data structures, potentially compromising data integrity or permitting unintended actions, but the description does not confirm remote code execution or broader system compromise.

Affected Systems

All installations of the Advanced Custom Fields : CPT Options Pages plugin released by Tusko Trush with version numbers up to and including 2.0.9 are vulnerable. Any WordPress site running a susceptible version is at risk.

Risk and Exploitability

The CVSS score of 8.8 classifies the issue as high severity, yet the EPSS score of less than 1% indicates a presently low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the CSRF nature of the flaw, the likely attack vector is a web‑based request that requires a logged‑in WordPress user to be tricked into submitting a malicious form or link targeting the plugin’s options pages.

Generated by OpenCVE AI on May 1, 2026 at 06:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Advanced Custom Fields : CPT Options Pages to any version newer than 2.0.9.
  • If an update cannot be applied immediately, temporarily deactivate or remove the plugin from the site to eliminate the vulnerable code paths.
  • Restrict access to the plugin’s options page to the least privileged administrators, and audit third‑party integrations that may trigger the plugin’s pages from external contexts.

Generated by OpenCVE AI on May 1, 2026 at 06:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Tusko Trush Advanced Custom Fields : CPT Options Pages acf-cpt-options-pages allows Object Injection.This issue affects Advanced Custom Fields : CPT Options Pages: from n/a through <= 2.0.9.
Title WordPress Advanced Custom Fields : CPT Options Pages plugin <= 2.0.9 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:40:47.846Z

Reserved: 2025-09-25T15:28:42.280Z

Link: CVE-2025-60208

cve-icon Vulnrichment

Updated: 2025-10-22T20:16:05.764Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:57.843

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-60208

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T06:15:10Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)