CVE-2025-62148
Lifecycle Timeline
2Description
Cross-Site Request Forgery (CSRF) vulnerability in Eugen Bobrowski Robots.txt rewrite robotstxt-rewrite allows Cross Site Request Forgery.This issue affects Robots.txt rewrite: from n/a through <= 1.6.1.
Analysis
Cross-site request forgery (CSRF) in the Robots.txt Rewrite WordPress plugin (versions up to 1.6.1) allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated administrators by tricking them into visiting a malicious webpage. The vulnerability affects the plugin's administrative functions and carries a low exploitation probability (EPSS 0.02%), with no public exploit code or active exploitation reported at time of analysis.
Technical Context
The vulnerability stems from insufficient CSRF token validation (CWE-352) in the Robots.txt Rewrite WordPress plugin. WordPress plugins that manage sensitive functionality like robots.txt modification are expected to implement nonce verification on all state-changing operations. The plugin fails to properly validate CSRF tokens on administrative actions, allowing an attacker to craft a malicious request that executes in the context of an authenticated admin session. This is a common class of vulnerability in WordPress plugin development when developers fail to use WordPress nonce functions (wp_verify_nonce) on form submissions and AJAX endpoints.
Affected Products
Eugen Bobrowski's Robots.txt Rewrite WordPress plugin (robotstxt-rewrite) in all versions from an unspecified baseline through version 1.6.1 inclusive. This is a publicly distributed WordPress plugin that runs on any WordPress installation where it has been installed and activated. No specific CPE string was provided in the references, though WordPress plugins are typically classified under enterprise-wide WordPress security advisories.
Remediation
The primary remediation is to update the Robots.txt Rewrite plugin to a version greater than 1.6.1 once a patched release is available. Site administrators should immediately review any available security updates from the plugin developer through the WordPress plugin repository or the vendor's direct advisory channel at patchstack.com/database/Wordpress/Plugin/robotstxt-rewrite/. As a temporary workaround pending an official patch, disable the plugin if robots.txt modification is not currently required, or limit administrative access to trusted users with appropriate IP whitelisting if using a Web Application Firewall. WordPress administrators should ensure nonce verification is enabled on all administrative forms by confirming the plugin uses wp_nonce_field() and wp_verify_nonce() functions correctly.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today