CVE-2025-0810 Overview
CVE-2025-0810 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Read More & Accordion plugin for WordPress in all versions up to and including 3.4.7. The vulnerability exists due to missing or incorrect nonce validation on the addNewButtons() function, which can allow unauthenticated attackers to include and execute arbitrary PHP files through a forged request. Successful exploitation requires social engineering to trick a site administrator into clicking a malicious link.
Critical Impact
This CSRF vulnerability chains with arbitrary PHP file inclusion, potentially enabling full remote code execution on affected WordPress installations when an administrator is socially engineered.
Affected Products
- Read More & Accordion WordPress Plugin versions ≤ 3.4.7
- WordPress installations running vulnerable plugin versions
- Also known as Expand Maker plugin (expand-maker)
Discovery Timeline
- April 5, 2025 - CVE-2025-0810 published to NVD
- April 15, 2026 - Last updated in NVD database
Technical Details for CVE-2025-0810
Vulnerability Analysis
This vulnerability represents a dangerous combination of Cross-Site Request Forgery (CSRF) and Local File Inclusion (LFI) that can escalate to Remote Code Execution. The core issue lies in the addNewButtons() function within the Read More & Accordion plugin, where proper nonce validation is either missing or incorrectly implemented.
WordPress nonces are security tokens used to verify that requests originate from the legitimate site and were initiated by an authenticated user. When nonce validation is absent or flawed, attackers can craft malicious requests that the WordPress installation will accept as legitimate when processed in the context of an authenticated administrator's session.
The attack chain requires user interaction—specifically, an administrator must be tricked into clicking a malicious link or visiting a crafted page while authenticated to their WordPress dashboard. Once the forged request is processed, the attacker can leverage the file inclusion capability to execute arbitrary PHP code on the server.
Root Cause
The root cause is inadequate implementation of WordPress's built-in CSRF protection mechanisms in the addNewButtons() function. The affected code paths can be found in the plugin's ReadMoreInit.php and ReadMorePages.php class files. Without proper nonce verification using WordPress functions like wp_verify_nonce() or check_admin_referer(), the plugin cannot distinguish between legitimate administrative actions and forged requests from external sources.
Attack Vector
The attack leverages the network-based attack vector, requiring the attacker to deliver a malicious payload to an authenticated WordPress administrator. The attack scenario typically involves:
- Attacker crafts a malicious HTML page or link containing a forged request targeting the vulnerable addNewButtons() function
- Attacker delivers the malicious content to a WordPress site administrator via phishing email, malicious advertisement, or compromised website
- When the administrator clicks the link or visits the page while logged into their WordPress dashboard, the forged request executes in their authenticated session
- The vulnerable function processes the request without validating the nonce, allowing arbitrary PHP file inclusion
- The included PHP file executes with the privileges of the web server, potentially enabling full site compromise
The vulnerability requires user interaction and successful social engineering, which adds complexity to the attack. However, once successful, the impact is severe as it can lead to complete compromise of the WordPress installation.
Detection Methods for CVE-2025-0810
Indicators of Compromise
- Unexpected PHP files appearing in WordPress directories, particularly in upload or temporary folders
- Suspicious outbound network connections from the WordPress server
- Unusual database modifications or new administrator accounts created without authorization
- Web server access logs showing POST requests to plugin endpoints from external referrers
- Modified plugin files or new files with obfuscated PHP code
Detection Strategies
- Monitor WordPress admin action logs for addNewButtons function calls with suspicious parameters
- Implement Web Application Firewall (WAF) rules to detect CSRF patterns targeting the expand-maker plugin
- Review HTTP referer headers for requests to sensitive plugin endpoints—legitimate requests should originate from the WordPress admin domain
- Deploy file integrity monitoring to detect unauthorized PHP file additions or modifications
- Analyze server access logs for unusual POST request patterns to /wp-admin/ endpoints
Monitoring Recommendations
- Enable WordPress audit logging plugins to track administrative actions and plugin modifications
- Configure SentinelOne Singularity to monitor for suspicious PHP process execution and file system changes
- Set up alerts for new file creation in WordPress plugin directories outside of standard update processes
- Monitor for unusual process spawning from PHP-FPM or Apache/Nginx worker processes
- Implement Content Security Policy headers and referer validation at the web server level
How to Mitigate CVE-2025-0810
Immediate Actions Required
- Update the Read More & Accordion (Expand Maker) plugin to the latest patched version immediately
- If update is not possible, deactivate and remove the plugin until a patch can be applied
- Audit WordPress administrator accounts and revoke any suspicious or unrecognized users
- Review recent file system changes on the WordPress installation for signs of compromise
- Ensure WordPress administrators are trained to recognize phishing attempts and suspicious links
Patch Information
A security patch addressing this vulnerability is available in WordPress Changeset #3265987. Site administrators should update the Read More & Accordion plugin through the WordPress plugin update mechanism or by downloading the latest version from the official WordPress plugin repository. The patch adds proper nonce validation to the addNewButtons() function and related code paths.
For additional technical details about the vulnerability, refer to the Wordfence Vulnerability Analysis.
Workarounds
- Temporarily deactivate the Read More & Accordion plugin if immediate patching is not feasible
- Implement a Web Application Firewall (WAF) rule to block requests to the vulnerable endpoint that lack valid referrer headers from your WordPress domain
- Restrict WordPress admin panel access to trusted IP addresses using .htaccess or server-level firewall rules
- Ensure administrators use separate browser profiles or incognito mode when clicking external links to prevent CSRF attacks
- Consider implementing additional WordPress security plugins that provide CSRF protection and request validation
# Example .htaccess rule to restrict wp-admin access by IP
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-admin
RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.100$
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
