Skip to main content

Eugen Bobrowski Robots.txt CVE-2025-62148

MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-12-31 audit@patchstack.com
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
4.3 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 16:15 nvd
N/A

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in Eugen Bobrowski Robots.txt rewrite robotstxt-rewrite allows Cross Site Request Forgery.This issue affects Robots.txt rewrite: from n/a through <= 1.6.1.

AnalysisAI

Cross-site request forgery (CSRF) in the Robots.txt Rewrite WordPress plugin (versions up to 1.6.1) allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated administrators by tricking them into visiting a malicious webpage. The vulnerability affects the plugin's administrative functions and carries a low exploitation probability (EPSS 0.02%), with no public exploit code or active exploitation reported at time of analysis.

Technical ContextAI

The vulnerability stems from insufficient CSRF token validation (CWE-352) in the Robots.txt Rewrite WordPress plugin. WordPress plugins that manage sensitive functionality like robots.txt modification are expected to implement nonce verification on all state-changing operations. The plugin fails to properly validate CSRF tokens on administrative actions, allowing an attacker to craft a malicious request that executes in the context of an authenticated admin session. This is a common class of vulnerability in WordPress plugin development when developers fail to use WordPress nonce functions (wp_verify_nonce) on form submissions and AJAX endpoints.

Affected ProductsAI

Eugen Bobrowski's Robots.txt Rewrite WordPress plugin (robotstxt-rewrite) in all versions from an unspecified baseline through version 1.6.1 inclusive. This is a publicly distributed WordPress plugin that runs on any WordPress installation where it has been installed and activated. No specific CPE string was provided in the references, though WordPress plugins are typically classified under enterprise-wide WordPress security advisories.

RemediationAI

The primary remediation is to update the Robots.txt Rewrite plugin to a version greater than 1.6.1 once a patched release is available. Site administrators should immediately review any available security updates from the plugin developer through the WordPress plugin repository or the vendor's direct advisory channel at patchstack.com/database/Wordpress/Plugin/robotstxt-rewrite/. As a temporary workaround pending an official patch, disable the plugin if robots.txt modification is not currently required, or limit administrative access to trusted users with appropriate IP whitelisting if using a Web Application Firewall. WordPress administrators should ensure nonce verification is enabled on all administrative forms by confirming the plugin uses wp_nonce_field() and wp_verify_nonce() functions correctly.

Share

CVE-2025-62148 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy