CVE-2025-30764
📋 TL;DR
A Cross-Site Request Forgery (CSRF) vulnerability in the AntoineH Football Pool WordPress plugin allows attackers to trick authenticated administrators into performing unauthorized actions. This affects WordPress sites using Football Pool plugin versions up to 2.12.2. Attackers could modify plugin settings without the admin's knowledge.
💻 Affected Systems
- AntoineH Football Pool WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could change critical plugin settings, potentially disrupting functionality or enabling further attacks through misconfigured components.
Likely Case
Attackers modify plugin settings to disrupt functionality or create annoyance for users, though limited to plugin-specific changes.
If Mitigated
With proper CSRF protections, no unauthorized actions can be performed even if users are tricked into clicking malicious links.
🎯 Exploit Status
Exploitation requires social engineering to trick authenticated administrators into clicking malicious links.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.12.3 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Football Pool' and check for updates. 4. Update to version 2.12.3 or later. 5. Verify update completed successfully.
🔧 Temporary Workarounds
Implement CSRF Tokens Manually
allAdd CSRF protection to plugin forms if you cannot update immediately
Requires custom PHP development to add nonce verification to forms
Use WordPress Security Plugin
allInstall security plugin that adds CSRF protection globally
🧯 If You Can't Patch
- Restrict plugin access to trusted administrators only
- Implement web application firewall with CSRF protection rules
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Football Pool > Version. If version is 2.12.2 or earlier, you are vulnerable.Check Version:
wp plugin list --name=football-pool --field=versionVerify Fix Applied:
After updating, verify version shows 2.12.3 or later in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to football-pool admin endpoints without referrer validation
- Multiple failed CSRF token validations in WordPress debug logs
Network Indicators:
- POST requests to /wp-admin/admin.php?page=footballpool-* endpoints without proper referrer headers
SIEM Query:
source="wordpress" AND (uri_path="/wp-admin/admin.php" AND uri_query="*footballpool*" AND http_method="POST")