Description
Cross-Site Request Forgery (CSRF) vulnerability in SEMrush CY LTD Semrush Content Toolkit semrush-contentshake allows Cross Site Request Forgery.This issue affects Semrush Content Toolkit: from n/a through <= 1.1.32.
Published: 2025-12-16
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery (CSRF)
Action: Patch Now
AI Analysis

Impact

The vulnerability is a CSRF flaw that allows an attacker to force a logged‑in user of a WordPress site to perform actions through the Semrush Content Toolkit plugin. Although the specific privileged actions that can be triggered are not enumerated, CSRF generally enables an attacker to change settings, submit content, or otherwise alter site state under the credentials of the victim. The weakness is identified as CWE‑352.

Affected Systems

Semrush Content Toolkit plugin for WordPress, versions from the initial release through 1.1.32 are affected. Any WordPress installation using one of these plugin versions is at risk.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity. The EPSS score of less than 1 % reflects a low probability of attack at this time, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, requiring a victim user to visit a malicious page that sends a forged request to the site with the plugin active. An attacker needs the victim to be authenticated and have sufficient privileges for the action that the plugin performs.

Generated by OpenCVE AI on April 27, 2026 at 22:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Semrush Content Toolkit plugin to a version newer than 1.1.32
  • Verify that the new plugin release implements CSRF protection and test the change on a staging environment before deployment
  • Restrict the plugin’s functionality or user roles if a timely update is not possible, thereby limiting the potential impact of the CSRF flaw

Generated by OpenCVE AI on April 27, 2026 at 22:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Wed, 17 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 16 Dec 2025 08:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in SEMrush CY LTD Semrush Content Toolkit semrush-contentshake allows Cross Site Request Forgery.This issue affects Semrush Content Toolkit: from n/a through <= 1.1.32.
Title WordPress Semrush Content Toolkit plugin <= 1.1.32 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:28.361Z

Reserved: 2025-12-15T10:01:29.282Z

Link: CVE-2025-68082

cve-icon Vulnrichment

Updated: 2025-12-17T19:43:40.887Z

cve-icon NVD

Status : Deferred

Published: 2025-12-16T09:16:03.223

Modified: 2026-04-27T19:16:24.973

Link: CVE-2025-68082

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T22:15:15Z

Weaknesses