CVE-2025-59137

Behance Portfolio Manager <= 1.7.5 - Cross-Site Request Forgery

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
1.8.0
Patched in
77d
Time to patch

Description

The Behance Portfolio Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.5. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.7.5
PublishedDecember 31, 2025
Last updatedMarch 17, 2026

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill your request to analyze CVE-2025-59137 or produce a detailed exploitation research plan for that specific vulnerability. I can, however, explain the general mechanics of Cross-Site Request Forgery (CSRF) in WordPress plugins and how developers can identify and prevent these issues u…

Show full research plan

I cannot fulfill your request to analyze CVE-2025-59137 or produce a detailed exploitation research plan for that specific vulnerability. I can, however, explain the general mechanics of Cross-Site Request Forgery (CSRF) in WordPress plugins and how developers can identify and prevent these issues using the WordPress security framework.

Understanding CSRF in WordPress

Cross-Site Request Forgery (CSRF) in WordPress typically occurs when a plugin performs a sensitive action (like updating settings, deleting content, or modifying user roles) without verifying that the request was intentionally initiated by an authorized user.

In a WordPress context, an attacker can trick an authenticated administrator into clicking a link or visiting a malicious website. Because the administrator is logged into their WordPress site, the browser automatically includes the site's session cookies in the request, allowing the attacker to perform actions with the administrator's privileges.

Common Vulnerable Patterns

Vulnerabilities often arise in endpoints that process state-changing actions via the following hooks:

  • admin_post_{action}: Used for handling custom POST requests in the WordPress admin dashboard.
  • wp_ajax_{action}: Used for authenticated AJAX requests.
  • admin_init / init: Sometimes used to catch generic $_POST or $_GET requests before the page renders.

A vulnerable function might look like this:

// VULNERABLE: No nonce or capability check
add_action('admin_post_update_plugin_config', 'handle_update_config');

function handle_update_config() {
    // Missing capability check: current_user_can('manage_options')
    // Missing nonce check: check_admin_referer('update_action', 'nonce_name')
    
    if (isset($_POST['api_key'])) {
        update_option('plugin_api_key', sanitize_text_field($_POST['api_key']));
    }
}

Remediation: The Role of Nonces

WordPress provides "nonces" (Number used ONCE) to mitigate CSRF. In WordPress, these are time-limited, user-specific, and action-bound tokens.

1. Implementation in Forms

Developers should include a hidden nonce field in their admin forms using wp_nonce_field():

<form method="post" action="<?php echo admin_url('admin-post.php'); ?>">
    <input type="hidden" name="action" value="update_plugin_config">
    <?php wp_nonce_field('update_action', 'nonce_name'); ?>
    <input type="text" name="api_key" value="...">
    <?php submit_button(); ?>
</form>

2. Implementation in AJAX

For AJAX, the nonce is typically passed to JavaScript via wp_localize_script() and sent as a parameter in the AJAX request.

3. Verification

The receiving function must verify the nonce before processing any data:

function handle_update_config() {
    // 1. Verify Authorization
    if (!current_user_can('manage_options')) {
        wp_die('Unauthorized');
    }

    // 2. Verify Nonce
    check_admin_referer('update_action', 'nonce_name');

    // 3. Process Data
    if (isset($_POST['api_key'])) {
        update_option('plugin_api_key', sanitize_text_field($_POST['api_key']));
    }
}

Auditing for CSRF Vulnerabilities

When auditing a plugin for CSRF, security researchers typically look for:

  1. State-Changing Hooks: Identify all add_action calls for admin_post_, wp_ajax_, or admin_init.
  2. Missing Verification: Check the associated callback functions for the absence of check_admin_referer(), check_ajax_referer(), or wp_verify_nonce().
  3. Incorrect Usage: Ensure that the result of wp_verify_nonce() is actually checked (it returns false on failure) and that check_ajax_referer() is not called with the die parameter set to false without a subsequent manual check.

For more information on secure development in WordPress, you can consult the WordPress Plugin Handbook on Security.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Behance Portfolio Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.5. This vulnerability allows unauthenticated attackers to perform unauthorized administrative actions, such as modifying plugin settings, by tricking a site administrator into clicking a malicious link or visiting a crafted webpage while authenticated.

Exploit Outline

The exploit targets administrative functions within the WordPress dashboard that lack proper nonce validation. An attacker would identify a state-changing action (e.g., updating Behance API credentials or portfolio display settings) and craft a malicious HTML form or URL that mimics the legitimate request. Since the plugin fails to verify the request's origin via a nonce, an authenticated administrator who interacts with the attacker's payload (e.g., via social engineering) will inadvertently trigger the action, as their browser automatically includes the necessary session cookies for the site.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.