CVE-2025-64271

6.5 MEDIUM

CSRF

📋 TL;DR

This CSRF vulnerability in HasThemes WP Plugin Manager allows attackers to trick authenticated WordPress administrators into performing unintended actions. It affects all WordPress sites using WP Plugin Manager version 1.4.7 or earlier.

💻 Affected Systems

Products:

• HasThemes WP Plugin Manager

Versions: <= 1.4.7

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress administrator authentication and user interaction to exploit.

📦 What is this software?

Wp Plugin Manager by Hasthemes

View all CVEs affecting Wp Plugin Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could trick administrators into installing malicious plugins, changing site settings, or performing other administrative actions without their knowledge.

🟠

Likely Case

Attackers could force administrators to install unwanted plugins, modify plugin settings, or perform other administrative functions via forged requests.

🟢

If Mitigated

With proper CSRF protections and user awareness, impact is limited as it requires administrator interaction.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires tricking authenticated administrators into clicking malicious links or visiting compromised sites.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.8 or later

Vendor Advisory: https://patchstack.com/database/Wordpress/Plugin/wp-plugin-manager/vulnerability/wordpress-wp-plugin-manager-plugin-1-4-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'WP Plugin Manager' and click 'Update Now'. 4. Verify version is 1.4.8 or higher.

🔧 Temporary Workarounds

Implement CSRF Tokens

all

Add CSRF protection to plugin forms and actions

Use WordPress Nonces

all

Implement WordPress nonce system for all plugin actions

🧯 If You Can't Patch

• Disable WP Plugin Manager plugin until patched
• Implement web application firewall with CSRF protection rules

🔍 How to Verify

Check if Vulnerable:

Copy

Check WordPress admin panel > Plugins > Installed Plugins for WP Plugin Manager version <= 1.4.7

Check Version:

Copy

wp plugin list --name='wp-plugin-manager' --field=version

Verify Fix Applied:

Copy

Verify WP Plugin Manager version is 1.4.8 or higher in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

• Unexpected plugin installations or administrative actions from authenticated users
• Multiple failed CSRF token validations

Network Indicators:

• HTTP POST requests to plugin endpoints without proper referrer headers or tokens

SIEM Query:

Copy

source="wordpress.log" AND ("wp-plugin-manager" OR "plugin manager") AND (action="install" OR action="activate" OR action="deactivate")

📊 Metadata

CVE ID: CVE-2025-64271

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-352

EPSS Score: 0.02% exploit probability (4.8th percentile)

Published: November 13, 2025

Last Updated: February 13, 2026

🔗 References

• https://patchstack.com/database/Wordpress/Plugin/wp-plugin-manager/vulnerability/wordpress-wp-plugin-manager-plugin-1-4-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve Third Party Advisory

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64271, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)

CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)

CVE-2024-33449 9.8

This SSRF vulnerability in PDFMyURL allows attackers to make the service send requests to internal s...

Same vulnerability type (CWE-352)