CVE-2025-31404
📋 TL;DR
This CSRF vulnerability in the AF Tell a Friend WordPress plugin allows attackers to trick authenticated administrators into executing malicious actions, leading to stored cross-site scripting (XSS). Attackers can inject persistent malicious scripts that execute in victims' browsers when viewing affected pages. All WordPress sites using AF Tell a Friend plugin versions up to 1.4 are affected.
💻 Affected Systems
- AF Tell a Friend WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could inject malicious JavaScript that steals administrator credentials, redirects users to malicious sites, or performs unauthorized administrative actions, potentially leading to complete site compromise.
Likely Case
Attackers inject malicious scripts that execute in users' browsers, potentially stealing session cookies, performing actions on behalf of users, or defacing the website.
If Mitigated
With proper CSRF protections and input validation, the attack chain would be broken, preventing both the CSRF and subsequent XSS exploitation.
🎯 Exploit Status
Exploitation requires social engineering to trick an authenticated administrator into clicking a malicious link. The CSRF leads to stored XSS, making the attack persistent.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'AF Tell a Friend' and check if update is available. 4. Click 'Update Now' or manually update to version 1.5+. 5. Verify plugin is active and functioning.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate af-tell-a-friend
Implement CSRF Protection
allAdd CSRF tokens to plugin forms via custom code or security plugin
🧯 If You Can't Patch
- Remove the AF Tell a Friend plugin completely from the WordPress installation
- Implement web application firewall (WAF) rules to block CSRF attempts and XSS payloads targeting the plugin endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins, find AF Tell a Friend and verify version is 1.4 or earlierCheck Version:
wp plugin get af-tell-a-friend --field=versionVerify Fix Applied:
Verify plugin version is 1.5 or later in WordPress admin panel, and test that the 'Tell a Friend' functionality works without security warnings📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php or plugin-specific endpoints
- Multiple failed CSRF token validations in WordPress debug logs
- Unexpected JavaScript injection in database content fields
Network Indicators:
- HTTP requests with suspicious parameters to plugin endpoints from unexpected referrers
- Patterns of requests that bypass normal user workflow
SIEM Query:
source="wordpress.log" AND ("af-tell-a-friend" OR "admin-ajax.php") AND (POST AND NOT "_wpnonce")