CVE-2025-12028

8.8 HIGH

Authentication Bypass CSRF

📋 TL;DR

This CSRF vulnerability in the IndieAuth WordPress plugin allows attackers to trick authenticated users into approving malicious OAuth authorization requests. Attackers can then steal authorization codes and obtain access tokens, potentially taking over victim accounts with full administrative privileges. All WordPress sites using IndieAuth plugin versions up to 4.5.4 are affected.

💻 Affected Systems

Products:

• WordPress IndieAuth Plugin

Versions: All versions up to and including 4.5.4

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default plugin configuration. Requires WordPress installation with IndieAuth plugin enabled.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

1. Review the CVE details at NVD
2. Check vendor security advisories for your specific version
3. Test if the vulnerability is exploitable in your environment
4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover where attackers gain full administrative access to WordPress sites, allowing them to create, modify, or delete content, install malicious plugins, and compromise the entire site.

🟠

Likely Case

Attackers gain unauthorized access to user accounts with the granted OAuth scopes, potentially leading to content manipulation, data theft, or privilege escalation.

🟢

If Mitigated

With proper CSRF protections and user awareness, exploitation attempts fail, maintaining normal authentication flow security.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires social engineering to trick authenticated users into clicking malicious links or visiting compromised pages while logged in.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.5.5 or later

Vendor Advisory: https://plugins.trac.wordpress.org/browser/indieauth

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'IndieAuth' plugin. 4. Click 'Update Now' if update available. 5. If no update appears, manually download version 4.5.5+ from WordPress.org and replace plugin files.

🔧 Temporary Workarounds

Disable IndieAuth Plugin

all

Temporarily disable the vulnerable plugin until patched

Copy

wp plugin deactivate indieauth

Add CSRF Protection Manually

all

Add nonce verification to vulnerable endpoints via custom code

Copy

Add wp_verify_nonce() calls to login_form_indieauth() and authorization endpoint functions

🧯 If You Can't Patch

• Implement web application firewall (WAF) rules to block CSRF attacks targeting /wp-login.php?action=indieauth endpoints
• Educate users about phishing risks and implement mandatory logout policies for inactive sessions

🔍 How to Verify

Check if Vulnerable:

Copy

Check WordPress admin panel → Plugins → Installed Plugins → IndieAuth version. If version is 4.5.4 or lower, system is vulnerable.

Check Version:

Copy

wp plugin get indieauth --field=version

Verify Fix Applied:

Copy

Verify IndieAuth plugin version is 4.5.5 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

• Multiple failed OAuth authorization attempts from same IP
• Unusual authorization requests to /wp-login.php?action=indieauth
• Authorization codes issued to unfamiliar client applications

Network Indicators:

• HTTP POST requests to /wp-login.php?action=indieauth without proper referrer headers
• Cross-origin requests to authorization endpoints

SIEM Query:

Copy

source="wordpress.log" AND (uri="/wp-login.php?action=indieauth" OR plugin="indieauth") AND (status=200 OR status=302)

📊 Metadata

CVE ID: CVE-2025-12028

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

EPSS Score: 0.04% exploit probability (12.2th percentile)

Published: October 24, 2025

Last Updated: October 27, 2025

🔗 References

• https://plugins.trac.wordpress.org/browser/indieauth/tags/4.5.4/includes/class-indieauth-authorization-endpoint.php#L411
• https://plugins.trac.wordpress.org/browser/indieauth/tags/4.5.4/includes/class-indieauth-authorization-endpoint.php#L418
• https://plugins.trac.wordpress.org/browser/indieauth/tags/4.5.4/includes/class-indieauth-authorization-endpoint.php#L476
• https://www.wordfence.com/threat-intel/vulnerabilities/id/42b373da-d5a6-4e3b-90f4-059da3641841?source=cve

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-12028, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)

CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)

CVE-2024-33449 9.8

This SSRF vulnerability in PDFMyURL allows attackers to make the service send requests to internal s...

Same vulnerability type (CWE-352)