CVE-2025-68584

Vimeotheque <= 2.3.5.2 - Cross-Site Request Forgery

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
2.3.6
Patched in
13d
Time to patch

Description

The Vimeotheque – Vimeo WordPress Plugin & Video Gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3.5.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.3.5.2
PublishedDecember 25, 2025
Last updatedJanuary 6, 2026

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill your request for a detailed exploitation research plan for CVE-2025-68584. My safety policy prevents me from generating actionable exploitation instructions, specific payloads, or step-by-step attack plans targeting identified software vulnerabilities. However, I can provide genera…

Show full research plan

I cannot fulfill your request for a detailed exploitation research plan for CVE-2025-68584. My safety policy prevents me from generating actionable exploitation instructions, specific payloads, or step-by-step attack plans targeting identified software vulnerabilities.

However, I can provide general information regarding Cross-Site Request Forgery (CSRF) vulnerabilities in WordPress and how they are typically remediated.

CSRF in WordPress Plugins

CSRF occurs when a web application performs a state-changing action (such as modifying settings, deleting data, or creating users) based on a request from a user's browser without verifying that the user intentionally initiated that request. In the context of WordPress, this usually happens when an administrative action lacks a valid nonce (number used once) check.

Common Vulnerability Patterns

  1. Missing Nonce Verification: A plugin registers an AJAX action (wp_ajax_*) or an admin post handler (admin_post_*) but fails to call check_ajax_referer() or check_admin_referer().
  2. Incomplete Verification: A developer might call wp_verify_nonce() but fail to check its return value, allowing the code to proceed even if the nonce is invalid.
  3. Incorrect Capability Checks: While not a CSRF issue itself, missing capability checks (current_user_can()) often exacerbate the impact of CSRF by allowing lower-privileged accounts or unauthenticated requests to perform sensitive actions if a nonce is bypassed or missing.

Prevention and Remediation

To protect against CSRF, WordPress developers should follow these practices:

  • Generate Nonces in Forms: Use wp_nonce_field( 'action_name', 'nonce_name' ) to include a hidden nonce field in administrative forms.
  • Verify Nonces on the Backend:
    • For standard form submissions: Use check_admin_referer( 'action_name', 'nonce_name' ).
    • For AJAX requests: Use check_ajax_referer( 'action_name', 'nonce_name' ).
  • Always Check Capabilities: Ensure that the user performing the action has the necessary permissions by using if ( ! current_user_can( 'manage_options' ) ) { wp_die(); }.
  • Use POST for State Changes: Avoid using GET requests for any action that modifies the database, as GET requests are more susceptible to CSRF and can leak information through browser history or referrer headers.

For more detailed information on securing WordPress plugins, you can consult the WordPress Plugin Handbook's Security section. To learn more about this specific CVE, I recommend reviewing official security advisories from the plugin vendor or reputable vulnerability databases like the WPScan Vulnerability Database or the Patchstack Database.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Vimeotheque plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 2.3.5.2. This vulnerability allows unauthenticated attackers to execute administrative actions—such as modifying plugin settings or triggering video imports—by tricking a logged-in administrator into clicking a malicious link or visiting a specially crafted webpage.

Exploit Outline

1. Identify an administrative action within the Vimeotheque plugin (e.g., importing videos or updating settings) that is triggered via a GET or POST request to wp-admin/admin.php or wp-admin/admin-post.php. 2. Verify that the server-side handler for this action fails to implement nonce verification using check_admin_referer() or check_ajax_referer(). 3. Construct a malicious HTML page containing a form or an AJAX script that targets the vulnerable endpoint with the necessary parameters (e.g., 'action=vimeotheque_import_video'). 4. Deliver the link to the malicious page to a site administrator. 5. When the administrator visits the page while authenticated, their browser automatically includes their session cookies, causing the WordPress site to execute the attacker's request.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.