Cross-Site Request Forgery Vulnerability in Audio Comments Plugin for WordPress
CVE-2025-4189

6.1MEDIUM

Key Information:

Vendor: WordPress
Status: Audio Comments Plugin
Vendor: CVE Published:; 17 May 2025

What is CVE-2025-4189?

The Audio Comments Plugin for WordPress presents a Cross-Site Request Forgery risk in all versions up to and including 1.0.4. The vulnerability stems from inadequate nonce validation on the 'audio-comments/audior-settings.php' page. This flaw could allow attackers to exploit the system by tricking a site administrator into clicking a malicious link, potentially leading to unauthorized changes in plugin settings and the injection of harmful scripts. It is crucial for users to apply updates and implement security measures to mitigate this risk.

Affected Version(s)

Audio Comments Plugin * <= 1.0.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/audio-comments...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
May 17, 2025
Vulnerability Reserved
May 1, 2025

Credit

Johannes Skamletz

JSON