CVE-2025-25138 – A Cross-Site Request Forgery (CSRF) vulnerabili... (How to Fix)

Q: What is the severity of CVE-2025-25138?

CVE-2025-25138 has a CVSS score of 7.1 (HIGH). A Cross-Site Request Forgery (CSRF) vulnerability in the WordPress On Page SEO + Whatsapp Chat Button plugin allows attackers to inject malicious scripts that execute when other users view affected pages. This affects WordPress sites using the plugin versions up to 2.0.0. The CSRF leads to stored XSS, meaning the malicious content persists on the site.

📋 TL;DR

A Cross-Site Request Forgery (CSRF) vulnerability in the WordPress On Page SEO + Whatsapp Chat Button plugin allows attackers to inject malicious scripts that execute when other users view affected pages. This affects WordPress sites using the plugin versions up to 2.0.0. The CSRF leads to stored XSS, meaning the malicious content persists on the site.

💻 Affected Systems

Products:

WordPress On Page SEO + Whatsapp Chat Button plugin

Versions: n/a through 2.0.0

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects WordPress installations with the vulnerable plugin enabled. Requires user interaction (CSRF) to trigger the XSS injection.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could inject malicious JavaScript that steals administrator credentials, redirects users to malicious sites, or defaces the website when users visit compromised pages.

🟠

Likely Case

Attackers trick authenticated users into performing unintended actions that inject malicious scripts into website content, affecting visitors who view those pages.

🟢

If Mitigated

With proper CSRF protections and input validation, the vulnerability would be prevented from being exploited.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires tricking an authenticated user into performing a CSRF action. The stored XSS payload then affects other users viewing the compromised content.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 2.0.0

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/ops-robots-txt/vulnerability/wordpress-on-page-seo-social-live-chat-formerly-ops-plugin-2-0-0-csrf-to-stored-xss-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'On Page SEO + Whatsapp Chat Button'. 4. Click 'Update Now' if available, or manually update to latest version. 5. Verify plugin version is above 2.0.0.

🔧 Temporary Workarounds

Disable vulnerable plugin

WordPress

Temporarily disable the plugin until patched

wp plugin deactivate on-page-seo-whatsapp-chat-button

Implement CSRF tokens

WordPress

Add CSRF protection to plugin forms if customizing

🧯 If You Can't Patch

Disable the On Page SEO + Whatsapp Chat Button plugin completely
Implement web application firewall (WAF) rules to block XSS payloads

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin > Plugins > Installed Plugins for 'On Page SEO + Whatsapp Chat Button' version 2.0.0 or lower

Check Version:

wp plugin get on-page-seo-whatsapp-chat-button --field=version

Verify Fix Applied:

Verify plugin version is above 2.0.0 in WordPress admin plugins page

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to plugin admin endpoints
JavaScript injection patterns in plugin-related database entries

Network Indicators:

CSRF attacks targeting plugin admin pages
Malicious script loading from compromised pages

SIEM Query:

source="wordpress.log" AND ("on-page-seo" OR "whatsapp-chat") AND (POST OR admin-ajax.php)

📊 Metadata

CVE ID: CVE-2025-25138

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

CWE: CWE-352

EPSS Score: 0.05% exploit probability (14th percentile)

Published: February 7, 2025

Last Updated: February 7, 2025

🔗 References

https://patchstack.com/database/wordpress/plugin/ops-robots-txt/vulnerability/wordpress-on-page-seo-social-live-chat-formerly-ops-plugin-2-0-0-csrf-to-stored-xss-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-25138, you might also want to check these: