Skip to main content
CVE Vulnerability Database

CVE-2025-8104: Memory Usage WordPress Plugin CSRF Flaw

CVE-2025-8104 is a Cross-Site Request Forgery vulnerability in the Memory Usage plugin for WordPress that allows attackers to install whitelisted plugins. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-8104 Overview

CVE-2025-8104 is a Cross-Site Request Forgery (CSRF) vulnerability [CWE-352] affecting the Memory Usage plugin for WordPress in all versions up to and including 3.98. The flaw resides in the wpmemory_install_plugin() function, which lacks nonce validation. An unauthenticated attacker can forge a request that, when triggered by an authenticated administrator, silently installs one of several whitelisted plugins on the target WordPress site. Exploitation requires user interaction, typically by tricking an administrator into clicking a crafted link.

Critical Impact

Successful exploitation lets remote attackers install arbitrary whitelisted plugins on a WordPress site without administrator consent, expanding the site's attack surface.

Affected Products

  • WordPress Memory Usage plugin (wp-memory) versions up to and including 3.98
  • WordPress sites where an administrator has the plugin active and installed
  • Any environment where administrators may interact with untrusted links while authenticated

Discovery Timeline

  • 2025-07-27 - CVE-2025-8104 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-8104

Vulnerability Analysis

The Memory Usage plugin exposes a plugin installation routine through the wpmemory_install_plugin() handler. WordPress typically defends state-changing administrative actions with nonces validated via check_admin_referer() or wp_verify_nonce(). In vulnerable versions of wp-memory, this validation is absent, so the handler accepts requests solely based on the administrator's authenticated session cookie.

An attacker hosts a malicious page or link that issues a request to the vulnerable endpoint. When a logged-in WordPress administrator visits the attacker-controlled resource, the browser automatically attaches the authentication cookies. The plugin then executes the installation action as if the administrator had initiated it. The impact is limited to a curated set of whitelisted plugins, which restricts the attacker to installing pre-approved third-party code rather than arbitrary attacker-supplied plugins.

Root Cause

The root cause is missing anti-CSRF token validation in the wpmemory_install_plugin() function. Without a nonce check, the server cannot distinguish between a legitimate administrator-initiated request and a cross-origin request forged by an attacker.

Attack Vector

The attack vector is network-based and requires user interaction. An attacker crafts an HTML page or link containing a request targeting the vulnerable endpoint on a victim WordPress site. Social engineering, such as phishing emails or malicious forum posts, is used to lure an authenticated administrator into visiting the attacker's resource. Because the request originates from the administrator's browser with valid session cookies, the plugin executes the install operation. Details of the vulnerable code path are documented in the WordPress Plugin Code Review and the fix is available in the WordPress Plugin Changeset.

Detection Methods for CVE-2025-8104

Indicators of Compromise

  • Unexpected plugins from the wp-memory whitelist appearing in the WordPress wp-content/plugins/ directory
  • Entries in WordPress activity logs showing plugin installations without a corresponding administrator-initiated workflow
  • HTTP access log entries containing requests to wpmemory_install_plugin with Referer headers pointing to external, untrusted domains

Detection Strategies

  • Review web server access logs for POST or GET requests invoking the wpmemory_install_plugin action, particularly those lacking a same-origin Referer header
  • Correlate plugin install events with administrator authentication sessions and browsing patterns to spot forged requests
  • Compare installed plugin inventories against approved baselines and alert on additions not tied to a change ticket

Monitoring Recommendations

  • Enable WordPress audit logging to capture plugin installation, activation, and deactivation events with the initiating user and IP address
  • Monitor administrator accounts for unusual browsing activity around the time of plugin state changes
  • Alert on modifications to the wp-content/plugins/ directory using file integrity monitoring

How to Mitigate CVE-2025-8104

Immediate Actions Required

  • Update the Memory Usage (wp-memory) plugin to a version later than 3.98 that includes the nonce validation fix referenced in the vendor changeset
  • If an immediate update is not possible, deactivate and remove the wp-memory plugin from all WordPress installations
  • Audit installed plugins to confirm no unauthorized whitelisted plugins were added and remove any that cannot be attributed to a legitimate change

Patch Information

The vendor addressed the missing nonce validation in the commit referenced by the WordPress Plugin Changeset 3333316. Administrators should upgrade to the fixed release available through the WordPress Plugin Developer Info page. Additional context is provided in the Wordfence Vulnerability Report.

Workarounds

  • Restrict administrator access to the WordPress dashboard using IP allowlisting or a VPN to limit exposure to CSRF payloads
  • Deploy a web application firewall rule that blocks requests to the wpmemory_install_plugin action lacking a valid same-origin Referer and WordPress nonce parameter
  • Instruct administrators to log out of WordPress sessions when not actively managing the site and to avoid clicking untrusted links while authenticated
bash
# Configuration example: remove the vulnerable plugin via WP-CLI
wp plugin deactivate wp-memory
wp plugin delete wp-memory
wp plugin list --status=active --format=table

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.