CVE-2025-54039

2025-07-16 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 11:15 nvd
N/A

Tags

WordPress PHP CSRF

Description

Cross-Site Request Forgery (CSRF) vulnerability in Toast Plugins Animator scroll-triggered-animations allows Cross Site Request Forgery.This issue affects Animator: from n/a through <= 3.0.16.

Analysis

Cross-site request forgery (CSRF) in Toast Plugins Animator WordPress plugin versions through 3.0.16 allows attackers to perform unauthorized actions on behalf of authenticated users without their knowledge. The vulnerability affects the scroll-triggered-animations plugin and carries low exploitation probability (EPSS 0.02%, 6th percentile) with no active exploitation confirmed. While CSRF vulnerabilities typically require social engineering to trick users into visiting malicious pages, this issue could be leveraged to modify plugin settings or website content if a site administrator visits an attacker-controlled page.

Technical Context

This is a classic Cross-Site Request Forgery (CWE-352) vulnerability in a WordPress plugin. CSRF exploits the stateless nature of HTTP by leveraging browser-stored authentication cookies to forge requests without the user's knowledge or consent. The Animator plugin (identified via CPE context as a WordPress plugin handling scroll-triggered animations) likely lacks proper nonce validation or CSRF tokens on sensitive administrative actions. WordPress plugins are particularly targeted for CSRF because they often add custom AJAX endpoints or admin pages that interact with sensitive plugin settings. The low EPSS score (0.02%) suggests either weak attack preconditions, limited practical impact, or high complexity in constructing an effective exploit against this specific implementation.

Affected Products

Toast Plugins Animator (scroll-triggered-animations) for WordPress is affected in all versions from initial release through version 3.0.16 inclusive. The plugin is identified as a WordPress plugin component handling scroll-triggered animation functionality. Affected organizations running Animator version 3.0.16 or earlier on WordPress sites should prioritize upgrading. Additional product lineage and CPE data is not available from the provided intelligence.

Remediation

Update Toast Plugins Animator to a version newer than 3.0.16 as soon as possible. The vendor advisory at https://patchstack.com/database/Wordpress/Plugin/scroll-triggered-animations/vulnerability/wordpress-animator-plugin-3-0-16-cross-site-request-forgery-csrf-vulnerability?_s_id=cve confirms the vulnerability and should be consulted for the specific patched version number. In the interim, site administrators should restrict plugin access to trusted administrators only and educate users not to click untrusted links while logged into WordPress. If a patched version has not yet been released, consider disabling the Animator plugin until an update is available.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-54039 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy