What is the CVSS score of CVE-2025-68604?

CVE-2025-68604 has a CVSS 3.1 base score of 5.4 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L. EPSS exploitation probability: 0.0%.

WPGraphQL CVE-2025-68604

EUVD-2025-209718 MEDIUM

Cross-Site Request Forgery (CSRF) (CWE-352)

2026-05-07 Patchstack

GHSA-655c-g9rr-96vv

CSRF

5.4

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

Low

Lifecycle Timeline

Analysis Generated

May 07, 2026 - 09:01 vuln.today

CVE Published

May 07, 2026 - 07:40 nvd

MEDIUM 5.4

DescriptionNVD

Cross-Site Request Forgery (CSRF) vulnerability in WPGraphQL allows Cross Site Request Forgery.

This issue affects WPGraphQL: from n/a through 2.5.3.

AnalysisAI

Cross-site request forgery (CSRF) in WPGraphQL plugin versions up to 2.5.3 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated WordPress users with user interaction (typically clicking a malicious link). The vulnerability affects the GraphQL endpoint's lack of token-based request verification, enabling attackers to craft requests that WordPress site visitors are tricked into executing without their knowledge. No public exploit code or active exploitation has been confirmed.

Technical ContextAI

WPGraphQL is a WordPress plugin that exposes WordPress data and functionality through a GraphQL API endpoint. The vulnerability stems from insufficient CSRF protection on GraphQL requests (CWE-352: Cross-Site Request Forgery). GraphQL endpoints typically handle POST requests that modify data (mutations), and when CSRF tokens are not properly validated or are missing, attackers can forge requests from external sites. The plugin's CPE identifier (cpe:2.3:a:wpgraphql:wpgraphql:*:*:*:*:*:*:*:*) indicates this affects all versions through 2.5.3. Modern WordPress uses nonce-based CSRF protection; this vulnerability suggests WPGraphQL's GraphQL endpoint bypasses or insufficiently validates these nonces on certain mutations.

RemediationAI

Upgrade WPGraphQL plugin to version 2.5.4 or later immediately. The vendor advisory via Patchstack (https://patchstack.com/database/wordpress/plugin/wp-graphql/vulnerability/wordpress-wpgraphql-plugin-2-5-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve) provides patch information. If immediate upgrade is not feasible, implement WordPress security headers (SameSite=Strict on cookies) at the web server level to mitigate CSRF attacks site-wide; this affects all plugins but may break some cross-site integrations. Additionally, restrict GraphQL endpoint access to authenticated users only if your use case permits, using WordPress role-based capability checks on the GraphQL_Init hook. Monitor GraphQL mutation logs for unexpected requests originating from external referrers using a WordPress security plugin like Wordfence or Sucuri.

CVE-2025-68604 vulnerability details – vuln.today

Back