Skip to main content

Javo Core CVE-2025-60111

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-09-26 audit@patchstack.com
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Updated
Apr 24, 2026 - 01:24 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 19:14 vuln.today
CVE Published
Sep 26, 2025 - 09:15 nvd
HIGH 8.8

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in javothemes Javo Core allows Authentication Bypass. This issue affects Javo Core: from n/a through 3.0.0.266.

AnalysisAI

CSRF vulnerability in Javo Core WordPress plugin (versions up to 3.0.0.266) enables attackers to bypass authentication controls and execute high-impact unauthorized actions. Despite an 8.8 CVSS score indicating critical severity across confidentiality, integrity, and availability, the 2% EPSS score (6th percentile) suggests minimal real-world exploitation activity. No active exploitation confirmed (not listed in CISA KEV). The vulnerability requires user interaction - attackers must trick authenticated administrators into visiting a malicious site or clicking a crafted link while logged into WordPress.

Technical ContextAI

CSRF (CWE-352) is a client-side attack that exploits the browser's automatic inclusion of session credentials (cookies, authentication tokens) with cross-origin requests. Javo Core is a WordPress plugin by javothemes that provides core functionality for directory and listing themes. The vulnerability exists because the plugin fails to implement proper nonce validation on sensitive state-changing operations through version 3.0.0.266. WordPress provides built-in CSRF protection mechanisms via wp_nonce_field() and check_admin_referer() functions, but this plugin appears to have omitted or incorrectly implemented these protections on critical endpoints. The CVSS vector indicates network-based attack delivery requiring user interaction, with no privilege requirements for the attacker but resulting in high impact across all CIA triad dimensions when successfully exploited against an authenticated admin session.

Affected ProductsAI

Javo Core WordPress plugin by javothemes, all versions from initial release through version 3.0.0.266 inclusive. The vulnerability affects WordPress installations where the plugin is active, regardless of the underlying WordPress version. No CPE strings provided in vulnerability data. Vendor advisory and technical details available at Patchstack database reference https://patchstack.com/database/wordpress/plugin/javo-core/vulnerability/wordpress-javo-core-plugin-3-0-0-266-cross-site-request-forgery-csrf-vulnerability

RemediationAI

Primary remediation: Upgrade Javo Core plugin to a patched version newer than 3.0.0.266 if available. Check the WordPress plugin repository or javothemes vendor site for updates. Patchstack reference at https://patchstack.com/database/wordpress/plugin/javo-core/vulnerability/wordpress-javo-core-plugin-3-0-0-266-cross-site-request-forgery-csrf-vulnerability provides vulnerability details but does not confirm availability of a fixed version at time of disclosure. If no patch is available, implement compensating controls: restrict WordPress admin panel access to trusted IP ranges via .htaccess or web application firewall rules (trade-off: breaks remote administration), disable the Javo Core plugin entirely if not mission-critical (impact: loss of directory/listing functionality), or deploy Content Security Policy headers to restrict form submission origins (complexity: requires testing to avoid breaking legitimate functionality). Educate administrator users to never click untrusted links while logged into WordPress dashboards.

Share

CVE-2025-60111 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy