WordPress Plugin Vulnerabilities

AI WP Writer < 3.8.4.5 - Cross-Site Request Forgery

Description

The AI WP Writer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.8.4.4. This is due to missing or incorrect nonce validation on the options() function. This makes it possible for unauthenticated attackers to update settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
ai-wp-writer
Fixed in 3.8.4.5

References

CVE
CVE-2025-22297
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/ff4895bb-b353-423c-a135-bf504ad77e53

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Dhabaleshwar Das
Verified
No
WPVDB ID
8f44ce99-d328-4dde-a07f-7c686bc8e1d4

Timeline

Publicly Published
2025-01-06 (about 1 year ago)
Added
2025-01-15 (about 1 year ago)
Last Updated
2025-01-15 (about 1 year ago)

Other

Published
Title
Published
2023-07-24
Title
Perelink Pro <= 2.1.4 - Settings Update via CSRF
Published
2024-08-07
Title
Hummingbird < 3.9.2 - Cross-Site Request Forgery
Published
2014-12-12
Title
W3 Total Cache <= 0.9.4 - Cross-Site Request Forgery (CSRF)
Published
2025-06-05
Title
Elite Video Player <= 10.0.5 - Cross-Site Request Forgery
Published
2024-04-11
Title
Popup Box < 2.2.7 - Popup Deletion via CSRF