WordPress Buffer – HYPESocial. Social Media Auto Post, Social Media Auto Publish and Schedule <= 2020.1.0 – Cross-Site Request Forgery | CVE 2025-58846 | Plugin Vulnerabilities

Description

The WordPress Buffer – HYPESocial. Social Media Auto Post, Social Media Auto Publish and Schedule plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2020.1.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/8bca36f7-4087-4378-b4f6-6c0bb24f24ff

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Nguyen Xuan Chien

Verified

No

WPVDB ID

5aa32f39-9629-4b2e-b2f8-1635f4fdeefc

Timeline

Publicly Published

2025-09-05 (about 7 months ago)

Added

2025-09-09 (about 6 months ago)

Last Updated

2025-09-09 (about 6 months ago)

Other

Published

Title

Published

2025-03-19

Title

WP MultiTasking <= 0.1.12 - Header/Footer/Body Script Update via CSRF

Published

2024-04-12

Title

Libsyn Publisher Hub <= 1.4.4 - Cross-Site Request Forgery

Published

2023-08-02

Title

Upload Media By URL < 1.0.8 - Stored XSS via CSRF

Published

2025-09-22

Title

TOCHAT.BE <= 1.3.4 - Cross-Site Request Forgery

Published

2022-06-16

Title

Rename wp-login.php <= 2.6.0 - Secret URL Update via CSRF