CVE-2025-62120

2025-12-31 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 14:15 nvd
N/A

Tags

CSRF

Description

Cross-Site Request Forgery (CSRF) vulnerability in Rick Beckman OpenHook thesis-openhook allows Cross Site Request Forgery.This issue affects OpenHook: from n/a through <= 4.3.1.

Analysis

Cross-Site Request Forgery (CSRF) vulnerability in OpenHook WordPress plugin version 4.3.1 and earlier allows attackers to perform unauthorized actions on behalf of authenticated users by tricking them into visiting malicious web pages. The vulnerability affects the popular thesis-openhook plugin and could enable unauthorized configuration changes or administrative actions without explicit user consent. With an EPSS score of 0.02% (5th percentile) and no CVSS severity assigned, this represents a low probability of exploitation in practice, though CSRF vulnerabilities remain a concern in WordPress ecosystem plugins.

Technical Context

This is a classic Cross-Site Request Forgery (CWE-352) vulnerability in a WordPress plugin, indicating that the OpenHook plugin fails to properly validate or validate anti-CSRF tokens (nonces) on state-changing requests. WordPress typically provides the wp_nonce_field() function and verification via wp_verify_nonce() to protect against CSRF attacks, but the plugin likely omits these protections on one or more administrative or user-facing actions. The OpenHook plugin (also referenced as thesis-openhook, likely used with the Thesis WordPress theme) is a WordPress plugin that handles webhooks or custom hooks. Without proper nonce validation, any POST, GET, or other state-changing request initiated from a third-party site can be executed in the context of a logged-in administrator or user's session.

Affected Products

OpenHook (thesis-openhook) WordPress plugin versions 4.3.1 and earlier are affected. The plugin is distributed via the WordPress plugin repository and Patchstack vulnerability database. No specific CPE string is provided in the available data, but the affected software can be identified as the 'thesis-openhook' WordPress plugin from Rick Beckman with version range through 4.3.1. Additional details and advisory information are available at the Patchstack vulnerability database entry: https://patchstack.com/database/Wordpress/Plugin/thesis-openhook/vulnerability/wordpress-openhook-plugin-4-3-1-cross-site-request-forgery-csrf-vulnerability.

Remediation

Users of the OpenHook (thesis-openhook) WordPress plugin should upgrade immediately to the latest available version beyond 4.3.1. Check the WordPress plugin repository for the current patched release and update through the WordPress admin dashboard (Plugins > Installed Plugins > Update). If a specific patched version number is available from the plugin author, prioritize that release. As an interim mitigation, administrators should limit access to the WordPress admin panel by IP address or Web Application Firewall (WAF) rules, enforce strong authentication (two-factor authentication), and monitor admin logs for suspicious activities. The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/thesis-openhook/vulnerability/wordpress-openhook-plugin-4-3-1-cross-site-request-forgery-csrf-vulnerability provides additional vendor guidance.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-62120 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy