CVE-2025-62133

2025-12-31 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 16:15 nvd
N/A

Tags

CSRF

Description

Cross-Site Request Forgery (CSRF) vulnerability in manidoraisamy FormFacade formfacade allows Cross Site Request Forgery.This issue affects FormFacade: from n/a through <= 1.4.1.

Analysis

FormFacade WordPress plugin version 1.4.1 and earlier contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of authenticated users without their knowledge or consent. The vulnerability requires user interaction (clicking a malicious link) but can lead to modification of plugin settings or data depending on affected functionality. EPSS exploitation probability is low at 0.02%, and no public exploit code or active exploitation has been identified.

Technical Context

This vulnerability is a Cross-Site Request Forgery (CSRF) flaw classified under CWE-352, which occurs when a web application fails to properly validate that state-changing requests originate from the legitimate user. FormFacade, a WordPress plugin for form management, lacks adequate CSRF token validation or same-origin policy enforcement. An attacker can craft a malicious webpage or email containing a request to the FormFacade plugin's administrative functions. When a logged-in WordPress administrator or authorized user visits the attacker's site while authenticated to WordPress, the browser automatically includes session cookies, causing the plugin to execute the attacker's requested action without verification of request legitimacy.

Affected Products

FormFacade WordPress plugin versions 1.4.1 and earlier are affected. The plugin is available on the WordPress plugin repository. Affected users should consult the Patchstack database entry (referenced at patchstack.com/database/Wordpress/Plugin/formfacade) for confirmation of their installed version.

Remediation

Update FormFacade to the patched version released after 1.4.1 immediately. Consult the official Patchstack vulnerability database and the plugin's WordPress repository page for the specific patched version number and download link. As a temporary workaround pending patching, WordPress administrators should restrict plugin settings access to trusted users only and monitor user activity logs for suspicious form modifications or settings changes. Enable WordPress security headers (SameSite cookie attribute) at the server level if available, which may provide partial CSRF protection across all WordPress plugins.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-62133 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy