CVE-2025-25101
Published: 07 February 2025
Summary
CVE-2025-25101 is a critical-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
The vulnerability is a Cross-Site Request Forgery (CSRF) flaw, tracked as CVE-2025-25101, in the MetricThemes Munk Sites WordPress plugin. It affects all versions through 1.0.7 and is assigned CWE-352 with a CVSS 3.1 score of 9.6. The issue permits an attacker to leverage CSRF to perform unauthorized actions, specifically arbitrary plugin installation on the affected site.
An unauthenticated remote attacker can exploit the flaw by crafting a malicious request that is triggered when an authenticated administrator visits a crafted page or link. Successful exploitation grants the attacker the ability to install arbitrary plugins, which can lead to code execution, data compromise, or full site takeover given the reflected scope and high impact on confidentiality, integrity, and availability.
The primary advisory reference from Patchstack characterizes the issue as a CSRF-to-arbitrary-plugin-installation vulnerability and is the source of the coordinated disclosure. No separate vendor patch or mitigation steps are detailed in the available references.
EPSS remains low and unchanged at a peak and current value of 0.0124, indicating no material increase in observed exploitation interest after publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4032
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in MetricThemes Munk Sites munk-sites allows Cross Site Request Forgery.This issue affects Munk Sites: from n/a through <= 1.0.7.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF vulnerability in public-facing WordPress plugin enables exploitation via malicious link to achieve arbitrary plugin installation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-23 requires protections for session authenticity, directly preventing CSRF attacks that exploit valid user sessions with forged requests.
SI-10 enforces validation of information inputs such as CSRF tokens, blocking forged requests lacking proper validation in the vulnerable plugin.
SI-2 mandates identification and correction of flaws like the CSRF vulnerability in Munk Sites through timely patching.