CVE-2025-32922 Overview
CVE-2025-32922 is a Cross-Site Request Forgery (CSRF) vulnerability in the WP2LEADS WordPress plugin developed by Saleswonder Team: Tobias. The flaw affects all versions up to and including 3.5.0 and allows attackers to chain CSRF with Stored Cross-Site Scripting (XSS). The vulnerability is categorized under CWE-352 — Cross-Site Request Forgery.
Critical Impact
An unauthenticated attacker can trick an authenticated administrator into submitting a forged request that injects persistent JavaScript into the WordPress site, leading to session theft, account takeover, or backdoor placement.
Affected Products
- WP2LEADS WordPress plugin versions through 3.5.0
- Vendor: Saleswonder Team: Tobias
- WordPress sites with the affected plugin installed and active
Discovery Timeline
- 2025-05-15 - CVE-2025-32922 published to the National Vulnerability Database
- 2026-04-23 - Last updated in the NVD database
Technical Details for CVE-2025-32922
Vulnerability Analysis
The WP2LEADS plugin exposes administrative actions that do not properly validate the origin of incoming requests. The plugin handlers accept state-changing operations without verifying a valid WordPress nonce or comparable anti-CSRF token. When an authenticated administrator visits an attacker-controlled page, the browser silently submits a forged request to the vulnerable endpoint.
Because the affected handlers also fail to sanitize or escape user-supplied input, the forged request can persist arbitrary HTML or JavaScript in plugin-managed storage. The payload then executes in the browser of any user who later loads the affected page, producing Stored XSS. User interaction is required because an administrator must visit the malicious page while logged in.
Root Cause
The root cause is the absence of CSRF protection on privileged actions, combined with insufficient input validation on stored fields. Standard WordPress mitigations such as wp_verify_nonce() checks and output escaping via esc_html() or esc_attr() are not consistently enforced in WP2LEADS through version 3.5.0.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker hosts a crafted HTML page containing an auto-submitting form or fetch request targeting a vulnerable WP2LEADS endpoint. An authenticated administrator visiting that page triggers the request under their session. The forged request stores attacker-controlled script that executes within the WordPress admin context on subsequent page views.
No verified public proof-of-concept code is available. Refer to the Patchstack WP2Leads Vulnerability advisory for technical details.
Detection Methods for CVE-2025-32922
Indicators of Compromise
- Unexpected <script> tags, onerror, or onload attributes stored in WP2LEADS plugin database tables or options.
- WordPress admin sessions generating outbound requests to unfamiliar domains shortly after visiting external sites.
- New or modified administrator accounts, plugin installations, or theme edits without corresponding audit log entries.
- HTTP referer headers in plugin POST requests originating from domains outside the WordPress site.
Detection Strategies
- Audit the WP2LEADS plugin tables and wp_options rows for HTML or JavaScript content where plain text is expected.
- Inspect WordPress access logs for POST requests to WP2LEADS admin endpoints that lack a valid _wpnonce parameter.
- Use a web application firewall to log and flag cross-origin POST requests to /wp-admin/admin.php and admin-ajax.php paths referencing the plugin.
Monitoring Recommendations
- Enable WordPress activity logging to track configuration changes made through the WP2LEADS plugin.
- Monitor browser-side errors and Content Security Policy (CSP) violation reports for evidence of injected scripts.
- Correlate administrator login events with subsequent plugin configuration changes to identify suspicious sequences.
How to Mitigate CVE-2025-32922
Immediate Actions Required
- Update the WP2LEADS plugin to a version above 3.5.0 once the vendor releases a patched build.
- If no fixed version is available, deactivate and remove the WP2LEADS plugin until a patch is published.
- Review all administrator accounts and rotate credentials for any account that may have visited untrusted sites while logged in.
- Inspect plugin-managed content for injected scripts and remove any malicious payloads from the database.
Patch Information
The Patchstack advisory tracks fix availability for this issue. Consult the Patchstack WP2Leads Vulnerability advisory for the latest fixed version. Apply the update through the WordPress plugin dashboard or via WP-CLI once published.
Workarounds
- Restrict access to the WordPress admin area using IP allowlisting at the web server or firewall layer.
- Require administrators to use a separate browser profile that does not visit untrusted sites during active sessions.
- Deploy a web application firewall rule that blocks state-changing requests to WP2LEADS endpoints lacking a valid nonce parameter.
- Enforce a strict Content Security Policy in the WordPress admin to limit inline script execution.
# Update or remove the vulnerable plugin via WP-CLI
wp plugin update wp2leads
wp plugin deactivate wp2leads
wp plugin delete wp2leads
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
