Skip to main content

Rick Beckman OpenHook CVE-2025-62120

MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-12-31 audit@patchstack.com
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
5.4 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 14:15 nvd
N/A

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in Rick Beckman OpenHook thesis-openhook allows Cross Site Request Forgery.This issue affects OpenHook: from n/a through <= 4.3.1.

AnalysisAI

Cross-Site Request Forgery (CSRF) vulnerability in OpenHook WordPress plugin version 4.3.1 and earlier allows attackers to perform unauthorized actions on behalf of authenticated users by tricking them into visiting malicious web pages. The vulnerability affects the popular thesis-openhook plugin and could enable unauthorized configuration changes or administrative actions without explicit user consent. With an EPSS score of 0.02% (5th percentile) and no CVSS severity assigned, this represents a low probability of exploitation in practice, though CSRF vulnerabilities remain a concern in WordPress ecosystem plugins.

Technical ContextAI

This is a classic Cross-Site Request Forgery (CWE-352) vulnerability in a WordPress plugin, indicating that the OpenHook plugin fails to properly validate or validate anti-CSRF tokens (nonces) on state-changing requests. WordPress typically provides the wp_nonce_field() function and verification via wp_verify_nonce() to protect against CSRF attacks, but the plugin likely omits these protections on one or more administrative or user-facing actions. The OpenHook plugin (also referenced as thesis-openhook, likely used with the Thesis WordPress theme) is a WordPress plugin that handles webhooks or custom hooks. Without proper nonce validation, any POST, GET, or other state-changing request initiated from a third-party site can be executed in the context of a logged-in administrator or user's session.

Affected ProductsAI

OpenHook (thesis-openhook) WordPress plugin versions 4.3.1 and earlier are affected. The plugin is distributed via the WordPress plugin repository and Patchstack vulnerability database. No specific CPE string is provided in the available data, but the affected software can be identified as the 'thesis-openhook' WordPress plugin from Rick Beckman with version range through 4.3.1. Additional details and advisory information are available at the Patchstack vulnerability database entry: https://patchstack.com/database/Wordpress/Plugin/thesis-openhook/vulnerability/wordpress-openhook-plugin-4-3-1-cross-site-request-forgery-csrf-vulnerability.

RemediationAI

Users of the OpenHook (thesis-openhook) WordPress plugin should upgrade immediately to the latest available version beyond 4.3.1. Check the WordPress plugin repository for the current patched release and update through the WordPress admin dashboard (Plugins > Installed Plugins > Update). If a specific patched version number is available from the plugin author, prioritize that release. As an interim mitigation, administrators should limit access to the WordPress admin panel by IP address or Web Application Firewall (WAF) rules, enforce strong authentication (two-factor authentication), and monitor admin logs for suspicious activities. The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/thesis-openhook/vulnerability/wordpress-openhook-plugin-4-3-1-cross-site-request-forgery-csrf-vulnerability provides additional vendor guidance.

Share

CVE-2025-62120 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy