CVE-2025-54042
Lifecycle Timeline
2Description
Cross-Site Request Forgery (CSRF) vulnerability in Xfinitysoft WP Post Hide wp-post-hide allows Cross Site Request Forgery.This issue affects WP Post Hide: from n/a through <= 1.0.9.
Analysis
Cross-site request forgery in Xfinitysoft WP Post Hide plugin for WordPress versions 1.0.9 and earlier allows unauthenticated attackers to perform unauthorized actions on behalf of site administrators through malicious web pages, with an EPSS exploitation probability of 0.02% indicating minimal real-world attack likelihood despite the vulnerability's presence.
Technical Context
This vulnerability stems from CWE-352 (Cross-Site Request Forgery), a class of web application flaws where an attacker tricks an authenticated user into performing unintended actions on a target website without their knowledge or consent. The WP Post Hide plugin, used in WordPress environments to control post visibility, fails to implement or validate CSRF tokens (nonces in WordPress terminology) on state-changing operations. WordPress plugins that modify post states or administrator settings require CSRF protection through nonce verification; the absence of this control in the wp-post-hide plugin allows attackers to craft malicious requests that execute when administrators visit attacker-controlled pages while logged into their WordPress installation.
Affected Products
The WP Post Hide plugin by Xfinitysoft, distributed through the WordPress plugin ecosystem, is affected in all versions from the initial release through version 1.0.9 inclusive. The plugin identifier is wp-post-hide, and the vulnerability applies to WordPress installations with this plugin active regardless of WordPress core version. Detailed vulnerability information is available at the Patchstack database entry referenced in the original report.
Remediation
Users should update the WP Post Hide plugin to a version newer than 1.0.9, which should include CSRF token validation and nonce verification on all state-changing operations. Review the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wp-post-hide/vulnerability/wordpress-wp-post-hide-plugin-1-0-9-cross-site-request-forgery-csrf-vulnerability?_s_id=cve for confirmation of the patched version number and additional remediation guidance. As an interim measure on sites unable to immediately update, disable the WP Post Hide plugin if its functionality is not critical to site operations, or restrict administrative access to trusted networks only.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today