Skip to main content

Toast Plugins Animator CVE-2025-54039

MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-07-16 audit@patchstack.com
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:42 NVD
4.3 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 11:15 nvd
N/A

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in Toast Plugins Animator scroll-triggered-animations allows Cross Site Request Forgery.This issue affects Animator: from n/a through <= 3.0.16.

AnalysisAI

Cross-site request forgery (CSRF) in Toast Plugins Animator WordPress plugin versions through 3.0.16 allows attackers to perform unauthorized actions on behalf of authenticated users without their knowledge. The vulnerability affects the scroll-triggered-animations plugin and carries low exploitation probability (EPSS 0.02%, 6th percentile) with no active exploitation confirmed. While CSRF vulnerabilities typically require social engineering to trick users into visiting malicious pages, this issue could be leveraged to modify plugin settings or website content if a site administrator visits an attacker-controlled page.

Technical ContextAI

This is a classic Cross-Site Request Forgery (CWE-352) vulnerability in a WordPress plugin. CSRF exploits the stateless nature of HTTP by leveraging browser-stored authentication cookies to forge requests without the user's knowledge or consent. The Animator plugin (identified via CPE context as a WordPress plugin handling scroll-triggered animations) likely lacks proper nonce validation or CSRF tokens on sensitive administrative actions. WordPress plugins are particularly targeted for CSRF because they often add custom AJAX endpoints or admin pages that interact with sensitive plugin settings. The low EPSS score (0.02%) suggests either weak attack preconditions, limited practical impact, or high complexity in constructing an effective exploit against this specific implementation.

Affected ProductsAI

Toast Plugins Animator (scroll-triggered-animations) for WordPress is affected in all versions from initial release through version 3.0.16 inclusive. The plugin is identified as a WordPress plugin component handling scroll-triggered animation functionality. Affected organizations running Animator version 3.0.16 or earlier on WordPress sites should prioritize upgrading. Additional product lineage and CPE data is not available from the provided intelligence.

RemediationAI

Update Toast Plugins Animator to a version newer than 3.0.16 as soon as possible. The vendor advisory at https://patchstack.com/database/Wordpress/Plugin/scroll-triggered-animations/vulnerability/wordpress-animator-plugin-3-0-16-cross-site-request-forgery-csrf-vulnerability?_s_id=cve confirms the vulnerability and should be consulted for the specific patched version number. In the interim, site administrators should restrict plugin access to trusted administrators only and educate users not to click untrusted links while logged into WordPress. If a patched version has not yet been released, consider disabling the Animator plugin until an update is available.

Share

CVE-2025-54039 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy