Cross-Site Request Forgery in Label Plugins for WordPress
CVE-2025-12401

6.1MEDIUM

Key Information:

Vendor

WordPress
Status
Label Plugins
Vendor
CVE Published:
4 November 2025

What is CVE-2025-12401?

The Label Plugins plugin for WordPress is susceptible to Cross-Site Request Forgery, affecting all versions up to and including 0.5. The vulnerability arises from improper nonce validation in the label_plugins_options() function. As a result, unauthenticated attackers could potentially exploit this flaw to manipulate settings and inject malicious scripts. This exploitation requires deceiving an administrator into executing an action, such as clicking an infected link, permitting unauthorized alterations to the web application.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Label Plugins * <= 0.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/label-plugins/...
https://plugins.trac.wordpress.org/browser/label-plugins/...

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

JohSka
JSON
.