CVE-2025-9896 - Vulnerability Details

- HidePost <= 2.3.8 - Cross-Site Request Forgery

Description

The HidePost plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3.8. This is due to missing or incorrect nonce validation on the options.php settings page. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published: 2025-09-27

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The HidePost plugin suffers from missing or incorrect nonce validation on its options.php settings page. This flaw lets an unauthenticated attacker forge a request that, if an administrator performs a simple action such as clicking a link, will modify the plugin’s configuration. The change can influence how posts are hidden or shown, potentially altering site content visibility. The underlying weakness is classified as a Cross‑Site Request Forgery, CWE‑352.

Affected Systems

The vulnerability applies to the HidePost WordPress plugin from the vendor funnnny, specifically all releases up to and including version 2.3.8. WordPress sites that have this plugin installed and are running those version numbers are susceptible.

Risk and Exploitability

The CVSS score of 4.3 indicates a medium impact when the flaw is exploited. The EPSS score of less than 1% suggests that exploitation is currently very unlikely. The flaw is not listed in the CISA KEV catalog. An attacker would need to compromise the administrative browser session of a site owner or trick an administrator into following a malicious URL that performs the forged request. Once executed, the attacker can alter plugin settings without needing further privileges.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

funnnny

HidePost

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.3.8

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the HidePost plugin to the latest version (greater than 2.3.8) which restores proper nonce validation.
If an immediate upgrade is not possible, remove or deactivate HidePost to eliminate the vulnerable code path.
Maintain overall WordPress and plugin updates and consider additional security testing for CSRF vulnerabilities.

Generated by OpenCVE AI on April 22, 2026 at 14:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-31415	The HidePost plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3.8. This is due to missing or incorrect nonce validation on the options.php settings page. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/hidepost/tags/2.3.8/options.php#L7
https://www.wordfence.com/threat-intel/vulnerabilities/id/1a618dbf-1180-4937-8466-5abc784a3365?source=cve

History

Mon, 29 Sep 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 29 Sep 2025 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress
Vendors & Products		Wordpress Wordpress wordpress

Sat, 27 Sep 2025 07:00:00 +0000

Type	Values Removed	Values Added
Description		The HidePost plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3.8. This is due to missing or incorrect nonce validation on the options.php settings page. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title		HidePost <= 2.3.8 - Cross-Site Request Forgery
Weaknesses		CWE-352
References		https://plugins.trac.wordpress.org/browser/hidepost/tags/2.3.8/options.php#L7 https://www.wordfence.com/threat-intel/vulnerabilities/id/1a618dbf-1180-4937-8466-5abc784a3365?source=cve
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}`

Subscriptions

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-09-27T06:47:13.427Z

Updated: 2026-04-08T16:38:04.783Z

Reserved: 2025-09-02T23:17:39.312Z

Link: CVE-2025-9896

Vulnrichment

Updated: 2025-09-29T19:05:02.969Z

NVD

Status : Deferred

Published: 2025-09-27T07:15:34.667

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9896

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T14:30:18Z

Weaknesses

CWE-352

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object