Depicter < 4.0.5 – Cross-Site Request Forgery | CVE 2025-8383 | Plugin Vulnerabilities

Description

The Depicter plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions less than, or equal to, 4.0.4. This is due to missing or incorrect nonce validation on the depicter-document-rules-store function. This makes it possible for unauthenticated attackers to modify document rules via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Fixed in 4.0.5

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/c54e5cd9-cc51-4367-afe0-11a6abfc0437

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Verified

No

WPVDB ID

4efc113c-18b0-407c-8295-d6146a038409

Timeline

Publicly Published

2025-10-30 (about 6 months ago)

Added

2025-10-30 (about 6 months ago)

Last Updated

2025-12-19 (about 4 months ago)

Other

Published

Title

Published

2023-11-06

Title

Feather Login Page < 1.1.4 - CSRF

Published

2024-07-01

Title

Community Events < 1.5 - Event Deletion via CSRF

Published

2024-03-28

Title

Custom WooCommerce Checkout Fields Editor < 1.3.1 - Cross-Site Request Forgery

Published

2025-01-08

Title

Action Network < 1.8.0 - Reflected Cross-Site Scripting

Published

2025-03-31

Title

PostmarkApp Email Integrator <= 2.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting