WordPress Plugin Vulnerabilities

Foxtool All-in-One: Contact chat button, Custom login, Media optimize images < 2.5.3 - Cross-Site Request Forgery to Google OAuth Connection

Description

The Foxtool All-in-One: Contact chat button, Custom login, Media optimize images plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2. This is due to missing or incorrect nonce validation on the foxtool_login_google() function. This makes it possible for unauthenticated attackers to establish an OAuth Connection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
foxtool
Fixed in 2.5.3

References

CVE
CVE-2025-13408
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/40886b66-f6a2-404c-9d0d-5fc3da6a896c

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
D01EXPLOIT OFFICIAL
Verified
No
WPVDB ID
b6e8d8d5-f9a4-4a56-8ffd-0e500f595047

Timeline

Publicly Published
2025-12-11 (about 5 months ago)
Added
2025-12-11 (about 5 months ago)
Last Updated
2025-12-12 (about 5 months ago)

Other

Published
Title
Published
2024-11-28
Title
CultBooking Hotel Booking Engine <= 2.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-01-24
Title
Modal Window < 6.1.5 - Cross-Site Request Forgery to Settings Ipdate
Published
2025-09-09
Title
WooCommerce Booking Bundle Hours < 0.7.5 - Cross-Site Request Forgery
Published
2025-04-09
Title
Seo Meta Tags <= 1.4 - Cross-Site Request Forgery to Privilege Escalation
Published
2025-09-05
Title
Woocommerce Notify Updated Product <= 1.6 - Cross-Site Request Forgery to Stored Cross-Site Scripting