Description
The LH Signing plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.83. This is due to missing or incorrect nonce validation on the plugin_options function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-09-11
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery
Action: Patch or Workaround
AI Analysis

Impact

The LH Signing WordPress plugin is vulnerable to Cross‑Site Request Forgery because the plugin_options function fails to validate a nonce on every request. An attacker who can trick an administrator into executing a forged request can modify any of the plugin’s settings. This change could be used to alter the plugin’s behavior, potentially weakening site security or redirecting traffic. The type of weakness is identified as CWE‑352, reflecting a failure to verify an attacker’s intent.

Affected Systems

WordPress sites that use the LH Signing plugin version 2.83 or earlier are affected. The plugin, developed by shawfactor, is included in the plugin repository and can be installed on any WordPress instance where site administrators manage it.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate level of severity, while the EPSS score of less than 1% suggests a very low exploitation probability at the time of analysis. The vulnerability is not listed in CISA’s KEV catalog, further indicating that no widespread or known exploits are in circulation. The likely attack vector is Cross‑Site Request Forgery; a malicious actor would need to persuade an administrator to click a crafted link or visit a malicious page that submits a forged POST request to the plugin_options endpoint. Because the flaw affects unauthenticated requests that are then executed under the privileges of the admin user, the impact is confined to those privileged users—but once the plugin settings are altered, the attacker could gain broader influence over the site’s operation.

Generated by OpenCVE AI on April 20, 2026 at 21:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the LH Signing plugin to the latest available version (2.84 or later) so that the nonce validation bug is fixed.
  • If the update cannot be applied immediately, disable or delete the plugin from the site to eliminate the attack surface until a patch is released.
  • As a temporary measure for sites that must continue using the old plugin, modify the plugin code to add proper nonce checks to the plugin_options handler or restrict access to this handler so that only authenticated administrators can invoke it.

Generated by OpenCVE AI on April 20, 2026 at 21:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27634 The LH Signing plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.83. This is due to missing or incorrect nonce validation on the plugin_options function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Fri, 12 Sep 2025 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 11 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Sep 2025 07:30:00 +0000

Type Values Removed Values Added
Description The LH Signing plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.83. This is due to missing or incorrect nonce validation on the plugin_options function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title LH Signing <= 2.83 - Cross-Site Request Forgery
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:34:27.471Z

Reserved: 2025-08-28T20:02:32.658Z

Link: CVE-2025-9633

cve-icon Vulnrichment

Updated: 2025-09-11T13:31:29.270Z

cve-icon NVD

Status : Deferred

Published: 2025-09-11T08:15:38.360

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9633

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T22:00:11Z

Weaknesses