CVE-2025-26963

Medium

Published: 25 February 2025

Published

25 February 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

EPSS Score 0.0010 26.5th percentile

Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26963 is a medium-severity CSRF (CWE-352) vulnerability in Flowdee Clickwhale. Its CVSS base score is 5.4 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-23 Session Authenticity good match

prevent

SC-23 requires mechanisms to protect communications session authenticity, directly preventing CSRF attacks like CVE-2025-26963 by employing anti-CSRF tokens or equivalent.

SI-10 Information Input Validation good match

prevent

SI-10 mandates validation of information inputs, including CSRF tokens, to block forged requests that exploit the lack of token validation in ClickWhale.

SI-2 Flaw Remediation good match

prevent

SI-2 ensures timely identification, reporting, and correction of the specific CSRF flaw in ClickWhale versions through n/a to <=2.4.3.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1204.001 Malicious Link Execution

An adversary may rely upon a user clicking a malicious link in order to gain execution.

attack.mitre.org →

T1566.002 Spearphishing Link Initial Access

Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.

attack.mitre.org →

Why these techniques?

CSRF vuln in public-facing WordPress plugin enables exploitation via malicious links/websites requiring user interaction to perform unauthorized settings changes.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

NVD Description

Cross-Site Request Forgery (CSRF) vulnerability in ClickWhale ClickWhale clickwhale allows Cross Site Request Forgery.This issue affects ClickWhale: from n/a through <= 2.4.3.

Deeper analysisAI

CVE-2025-26963 is a Cross-Site Request Forgery (CSRF) vulnerability, mapped to CWE-352, in the ClickWhale WordPress plugin. It affects all versions of ClickWhale from n/a through 2.4.3. Published on 2025-02-25, the vulnerability enables CSRF attacks against the plugin without proper token validation.

The vulnerability has a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction (such as clicking a malicious link). An attacker can exploit it by tricking an authenticated user, typically an administrator, into submitting a forged request via a malicious website, resulting in low-impact integrity and availability violations, such as unauthorized settings changes.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/clickwhale/vulnerability/wordpress-clickwhale-plugin-2-4-3-cross-site-request-forgery-csrf-to-settings-change-vulnerability?_s_id=cve details the issue as a CSRF vulnerability in ClickWhale 2.4.3 that enables settings changes. Security practitioners should consult the advisory for patch availability and mitigation guidance.