Description
The User Sync – Remote User Sync plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the mo_user_sync_form_handler() function. This makes it possible for unauthenticated attackers to deactivate the plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-09-17
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery enabling plugin deactivation
Action: Patch
AI Analysis

Impact

The vulnerability in the User Sync – Remote User Sync plugin stems from a missing or incorrect nonce validation in the mo_user_sync_form_handler() function. Because the plugin fails to verify a request nonce, an attacker can craft a forged request that the system will accept as legitimate. This flaw allows an unauthenticated attacker—provided they can convince a site administrator to click a malicious link—to deactivate the plugin, resulting in loss of remote user synchronization and any services that depend on it. The weakness is a classic Cross‑Site Request Forgery flaw, classified as CWE‑352, which permits execution of privileged actions without proper authentication.

Affected Systems

The affected system is the WordPress plugin User Sync – Remote User Sync from vendor cyberlord92. All releases up to and including version 1.0.2 are vulnerable; newer releases are not listed as affected.

Risk and Exploitability

The CVSS score of 4.3 places this issue in the moderate range, and the EPSS score of less than 1% indicates an extremely low likelihood of exploitation. The vulnerability is not included in CISA’s KEV catalog. Exploitation requires an attacker to deceive a site administrator into opening a crafted link, so social engineering is the primary prerequisite. While the exploitation probability is low, the potential denial of remote user synchronization could disrupt business operations, warranting a prompt patch.

Generated by OpenCVE AI on April 21, 2026 at 02:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the User Sync – Remote User Sync plugin to a version newer than 1.0.2, which includes proper nonce validation to block CSRF requests.
  • If an immediate upgrade is not possible, deactivate or uninstall the plugin to eliminate the attack vector altogether.
  • Train site administrators to recognize and avoid suspicious links, and consider installing a WordPress security plugin that logs or blocks suspicious nonce activity for added protection.

Generated by OpenCVE AI on April 21, 2026 at 02:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-29672 The User Sync – Remote User Sync plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the mo_user_sync_form_handler() function. This makes it possible for unauthenticated attackers to deactivate the plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Wed, 17 Sep 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 17 Sep 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 17 Sep 2025 02:15:00 +0000

Type Values Removed Values Added
Description The User Sync – Remote User Sync plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the mo_user_sync_form_handler() function. This makes it possible for unauthenticated attackers to deactivate the plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title User Sync – Remote User Sync <= 1.0.2 - Cross-Site Request Forgery to Plugin Deactivation
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:59:00.382Z

Reserved: 2025-09-02T22:59:56.638Z

Link: CVE-2025-9891

cve-icon Vulnrichment

Updated: 2025-09-17T13:09:22.438Z

cve-icon NVD

Status : Deferred

Published: 2025-09-17T02:15:34.003

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9891

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T03:00:06Z

Weaknesses