Cross-Site Request Forgery in Last.fm Recent Album Artwork Plugin for WordPress
CVE-2025-7684

6.1MEDIUM

Key Information:

Vendor: WordPress
Status: Last.fm Recent Album Artwork
Vendor: CVE Published:; 16 August 2025

What is CVE-2025-7684?

The Last.fm Recent Album Artwork plugin for WordPress is subject to a Cross-Site Request Forgery vulnerability due to improper nonce validation on the 'lastfm_albums_artwork.php' page. An attacker can exploit this vulnerability to trick a site administrator into executing unauthorized actions by clicking on a malicious link. This can lead to unauthorized modifications of plugin settings and potential injection of harmful web scripts, thus compromising the site's security.

Affected Version(s)

Last.fm Recent Album Artwork * <= 1.0.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/lastfm-recent-...

https://wordpress.org/plugins/lastfm-recent-album-artwork/

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 16, 2025
Vulnerability Reserved
Jul 15, 2025

Credit

JohSka