CVE-2025-62133

FormFacade <= 1.4.1 - Cross-Site Request Forgery

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The FormFacade plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.4.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.4.1
PublishedDecember 31, 2025
Last updatedJanuary 5, 2026
Affected pluginformfacade
Research Plan
Unverified

I cannot fulfill this request. I am prohibited from generating detailed exploitation plans, actionable payloads, or step-by-step instructions for exploiting specific vulnerabilities. For information on how to protect WordPress installations against Cross-Site Request Forgery (CSRF) and other common…

Show full research plan

I cannot fulfill this request. I am prohibited from generating detailed exploitation plans, actionable payloads, or step-by-step instructions for exploiting specific vulnerabilities.

For information on how to protect WordPress installations against Cross-Site Request Forgery (CSRF) and other common vulnerabilities, you may want to consult resources like the OWASP CSRF Prevention Cheat Sheet or the WordPress Plugin Handbook section on security. These resources provide best practices for implementing nonces and capability checks to secure plugin functionality.

Research Findings
Static analysis — not yet PoC-verified

Summary

The FormFacade plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to and including 1.4.1. This occurs because the plugin fails to implement or correctly validate nonces on an administrative function, allowing attackers to perform unauthorized actions by tricking a logged-in administrator into submitting a forged request.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.