CVE-2025-62107
Lifecycle Timeline
2Description
Cross-Site Request Forgery (CSRF) vulnerability in PluginOps Feather Login Page feather-login-page allows Cross Site Request Forgery.This issue affects Feather Login Page: from n/a through <= 1.1.7.
Analysis
Cross-site request forgery (CSRF) vulnerability in PluginOps Feather Login Page WordPress plugin versions up to 1.1.7 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users without their knowledge or consent. The vulnerability stems from missing CSRF token validation on plugin functionality, enabling attackers to craft malicious requests that execute when users visit attacker-controlled pages while logged into sites using the vulnerable plugin. No public exploit code or active exploitation has been identified at time of analysis; however, the low EPSS score (0.02%) and lack of CVSS data suggest this may represent a lower-severity implementation gap rather than a critical attack vector in typical WordPress deployments.
Technical Context
The vulnerability involves improper implementation of WordPress security mechanisms, specifically the absence of nonce (number used once) validation or other CSRF token protections within the Feather Login Page plugin. WordPress provides the wp_nonce_field() function and wp_verify_nonce() functions to generate and validate CSRF tokens; failure to implement these in form submissions or AJAX handlers allows cross-origin requests to execute privileged actions. This falls under CWE-352 (Cross-Site Request Forgery), a class of vulnerabilities where state-changing operations (form submissions, user actions) lack sufficient validation of request origin or user intent. The affected product is the PluginOps Feather Login Page WordPress plugin, distributed through the official WordPress plugin repository.
Affected Products
PluginOps Feather Login Page WordPress plugin versions 1.1.7 and earlier are affected. The plugin is distributed through the official WordPress.org plugin repository. No specific CPE identifier is provided in available data; affected installations can be identified by checking WordPress plugin listings or using WordPress security scanning tools to detect installations running version 1.1.7 or below of feather-login-page.
Remediation
Update the Feather Login Page plugin to a version after 1.1.7; consult the official WordPress plugin repository or the vendor advisory at https://patchstack.com/database/Wordpress/Plugin/feather-login-page/vulnerability/wordpress-feather-login-page-plugin-1-1-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve for the latest patched release. If a patched version is not yet available, temporarily disable the plugin until an update is released, or review plugin settings to restrict functionality to trusted users only. WordPress administrators should enable automatic plugin updates through the WordPress dashboard to receive security patches promptly upon release.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today