Cross-Site Request Forgery Vulnerability in WPCF7 Stop Words Plugin for WordPress
CVE-2025-12413

5.4MEDIUM

Key Information:

Vendor: WordPress
Status: WPcf7 Stop Words
Vendor: CVE Published:; 4 November 2025

What is CVE-2025-12413?

The Social Media WPCF7 Stop Words plugin for WordPress has a vulnerability that allows unauthenticated attackers to exploit a lack of proper nonce validation in the smWpCfSwOptions() function. This flaw enables attackers to potentially manipulate plugin settings or inject malicious scripts by tricking a site administrator into making a forged request, such as clicking a deceptive link. This vulnerability affects all versions of the plugin up to and including 1.1.3, posing significant risks for websites utilizing this plugin.

Affected Version(s)

WPCF7 Stop words * <= 1.1.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wpcf7-stop-wor...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 4, 2025
Vulnerability Reserved
Oct 28, 2025

Credit

dayea song

JSON