Giveaways and Contests by RafflePress < 1.12.21 – Cross-Site Request Forgery | CVE 2025-66064 | Plugin Vulnerabilities

Description

The Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Fixed in 1.12.21

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/15cad3f3-5a23-427f-8dd2-8edf38245fe0

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Nabil Irawan

Verified

No

WPVDB ID

e66d38c1-e03e-4af1-bc8e-8766c68ef431

Timeline

Publicly Published

2025-11-21 (about 5 months ago)

Added

2025-11-25 (about 5 months ago)

Last Updated

2025-11-25 (about 5 months ago)

Other

Published

Title

Published

2025-12-31

Title

Gmail SMTP <= 1.0.7 - Cross-Site Request Forgery

Published

2024-04-15

Title

Related Posts for WordPress <= 4.0.3 - Cross-Site Request Forgery

Published

2025-12-15

Title

Meks Quick Plugin Disabler <= 1.0 - Cross-Site Request Forgery

Published

2025-09-05

Title

TrustMate.io – WooCommerce integration <= 1.16.0 - Cross-Site Request Forgery

Published

2025-06-05

Title

Widgetize Pages Light <= 3.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting