Cross-Site Request Forgery in SH Contextual Help Plugin for WordPress
CVE-2025-12410

6.1MEDIUM

Key Information:

Vendor: WordPress
Status: Sh Contextual Help
Vendor: CVE Published:; 4 November 2025

What is CVE-2025-12410?

The SH Contextual Help plugin for WordPress contains a vulnerability that allows unauthenticated attackers to exploit a flaw in nonce validation within the sh_contextual_help_dashboard_widget() function. This can lead to unauthorized changes in the plugin's settings, including the injection of malicious scripts, if an unsuspecting site administrator is tricked into executing specific actions, such as clicking on a deceptive link. Ensuring proper nonce validation is essential to mitigate such risks.

Affected Version(s)

SH Contextual Help * <= 3.2.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/sh-contextual-...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 4, 2025
Vulnerability Reserved
Oct 28, 2025

Credit

JohSka

JSON