Description
The WP SinoType plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the sinotype_config function. This makes it possible for unauthenticated attackers to modify typography settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-10-03
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery
Action: Apply Plugin Update
AI Analysis

Impact

The WP SinoType plugin for WordPress is affected by a Cross‑Site Request Forgery vulnerability that originates from missing or incorrect nonce validation in the sinotype_config function. This flaw allows an attacker who can lure the site administrator into clicking a malicious link or URL to change typography settings on the site without authentication. The impact is that the attacker can modify appearance parameters, potentially defacing the site or embedding malicious styles, although the attack does not provide direct code execution or data exfiltration capability.

Affected Systems

Affected installations are WordPress sites running the WP SinoType plugin version 1.0 or older. The plugin is maintained by samueljesse and is identified by the vendor/product name WP SinoType. No other products or versions are listed as affected.

Risk and Exploitability

The CVSS score of 4.3 indicates a low to moderate risk, and the EPSS score of less than 1 % suggests a very low probability of exploitation at this time. The vulnerability is not included in CISA’s KEV catalog. Exploitation requires user interaction: the admin must navigate to a forged URL or click a link that submits the unfettered request. Because the flaw can be triggered by unauthenticated individuals who successfully trick an administrator, the operational risk is limited but should be mitigated promptly.

Generated by OpenCVE AI on April 20, 2026 at 19:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WP SinoType to a version that includes proper nonce checking (any release newer than 1.0).
  • If an update is not immediately available, deactivate or uninstall the plugin until the fix is installed.
  • Educate site administrators to be wary of unexpected links that request changes to site settings, and consider adding a security plugin that warns about CSRF attempts.

Generated by OpenCVE AI on April 20, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-32255 The WP SinoType plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the sinotype_config function. This makes it possible for unauthenticated attackers to modify typography settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Mon, 06 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 03 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Oct 2025 11:30:00 +0000

Type Values Removed Values Added
Description The WP SinoType plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the sinotype_config function. This makes it possible for unauthenticated attackers to modify typography settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title WP SinoType <= 1.0 - Cross-Site Request Forgery
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:15:48.952Z

Reserved: 2025-08-28T19:46:35.987Z

Link: CVE-2025-9630

cve-icon Vulnrichment

Updated: 2025-10-03T14:01:48.545Z

cve-icon NVD

Status : Deferred

Published: 2025-10-03T12:15:48.743

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9630

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T19:30:06Z

Weaknesses