Skip to main content
CVE Vulnerability Database

CVE-2025-7685: Like & Share My Site WordPress CSRF Flaw

CVE-2025-7685 is a Cross-Site Request Forgery vulnerability in the Like & Share My Site WordPress plugin that allows attackers to modify settings and inject scripts. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-7685 Overview

CVE-2025-7685 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Like & Share My Site plugin for WordPress in all versions up to and including 0.2. The flaw stems from missing or incorrect nonce validation on the lsms_admin page. Unauthenticated attackers can update plugin settings and inject malicious web scripts by tricking an authenticated administrator into clicking a crafted link. Successful exploitation requires user interaction but no attacker privileges, and the injected scripts execute in the administrator's browser session under the target site's origin.

Critical Impact

Attackers can modify plugin settings and inject stored JavaScript into administrative pages, enabling persistent script execution against site visitors and administrators.

Affected Products

  • WordPress Like & Share My Site plugin, versions up to and including 0.2

Discovery Timeline

  • 2025-07-22 - CVE-2025-7685 published to the National Vulnerability Database (NVD)
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7685

Vulnerability Analysis

The Like & Share My Site plugin exposes an administrative settings handler at the lsms_admin page. This handler processes state-changing requests without verifying an anti-CSRF token (WordPress nonce). Because WordPress relies on nonces to bind sensitive form submissions to the current authenticated session, the absence of this check allows any HTTP request that reaches the endpoint with a valid administrator session cookie to succeed.

An attacker hosts a page that auto-submits a forged POST request to the vulnerable settings endpoint. When a logged-in administrator visits the attacker-controlled page, the browser attaches the WordPress session cookie and the server processes the request as legitimate. The attacker chooses arbitrary input values, including HTML and JavaScript payloads, that the plugin later renders in administrative or public pages. This chains CSRF with stored Cross-Site Scripting (XSS).

Root Cause

The root cause is a missing or incorrect nonce validation on the lsms_admin settings handler, classified as [CWE-352] Cross-Site Request Forgery. The plugin does not call check_admin_referer() or wp_verify_nonce() before applying submitted settings, and it does not sanitize the resulting values against script injection.

Attack Vector

Exploitation is network-based and requires user interaction from a target with administrator privileges. The attacker delivers a link, malicious page, or embedded content that triggers the forged request from the victim's authenticated browser. No authentication is required on the attacker's side. Once settings are updated with an injected payload, the malicious script executes whenever the affected page is rendered.

No public proof-of-concept exploit or in-the-wild exploitation has been documented. Additional technical context is available in the WordPress Plugin Code and the Wordfence Vulnerability Report.

Detection Methods for CVE-2025-7685

Indicators of Compromise

  • Unexpected changes to Like & Share My Site plugin settings recorded in WordPress audit logs or database revisions to wp_options entries associated with the plugin.
  • HTTP POST requests to wp-admin/admin.php?page=lsms_admin with Referer headers pointing to external, untrusted origins.
  • <script> tags, event handlers, or obfuscated JavaScript stored in plugin configuration fields.

Detection Strategies

  • Review web server access logs for administrator POST requests to the lsms_admin endpoint that originate from cross-site referrers or lack an in-session navigation flow.
  • Monitor the WordPress options table for unexpected modifications to Like & Share My Site configuration values, especially entries containing HTML or JavaScript.
  • Alert on browser-rendered script execution from administrative pages using Content Security Policy (CSP) violation reports.

Monitoring Recommendations

  • Enable a WordPress activity logging plugin to record settings changes with user, IP, and referrer attribution.
  • Forward web server and WordPress audit logs to a centralized SIEM and correlate administrator activity with external referrers and off-hours access.
  • Track outbound requests from administrator browsers to unfamiliar domains that could deliver CSRF payloads.

How to Mitigate CVE-2025-7685

Immediate Actions Required

  • Deactivate and remove the Like & Share My Site plugin until a patched version is confirmed available, since the vulnerability affects all versions through 0.2.
  • Audit the plugin's stored settings and remove any injected HTML or JavaScript content.
  • Force administrator session invalidation and rotate credentials if compromise is suspected.

Patch Information

At the time of publication, no fixed version has been identified for the Like & Share My Site plugin. Refer to the Wordfence Vulnerability Report for the current patch status and monitor the plugin's WordPress.org listing for updates.

Workarounds

  • Uninstall the plugin and replace it with an actively maintained alternative that enforces nonce validation on administrative actions.
  • Deploy a Web Application Firewall (WAF) rule that blocks POST requests to wp-admin/admin.php?page=lsms_admin when the Referer header does not match the site's own origin.
  • Restrict WordPress administrator access to trusted IP ranges and require administrators to use a dedicated browser profile that does not visit untrusted sites.
bash
# Example Apache configuration to block cross-origin POSTs to the vulnerable endpoint
<LocationMatch "/wp-admin/admin\.php">
    SetEnvIfNoCase Referer "^https?://your-site\.example(/|$)" trusted_ref
    <RequireAll>
        Require all granted
        Require env trusted_ref
    </RequireAll>
</LocationMatch>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.