CVE-2025-2163

The Zoorum Comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9. This is due to missing or incorrect nonce validation on the zoorum_set_options() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/zoorum-comments/tags/0.9/zoorum-comments-admin.php#L18	Broken Link
https://plugins.trac.wordpress.org/browser/zoorum-comments/tags/0.9/zoorum-comments-admin.php#L38	Broken Link
https://wordpress.org/plugins/zoorum-comments/	Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/2b58fb0f-c7ac-4ee6-84f1-ac14617a7c2b?source=cve	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:zoorum:zoorum_comments:*:*:*:*:*:wordpress:*:*

History

28 Mar 2025, 19:46

Type	Values Removed	Values Added
CPE		cpe:2.3:a:zoorum:zoorum_comments::::::wordpress::*
First Time		Zoorum zoorum Comments Zoorum
References	~~() https://plugins.trac.wordpress.org/browser/zoorum-comments/tags/0.9/zoorum-comments-admin.php#L18 -~~	() https://plugins.trac.wordpress.org/browser/zoorum-comments/tags/0.9/zoorum-comments-admin.php#L18 - Broken Link
References	~~() https://plugins.trac.wordpress.org/browser/zoorum-comments/tags/0.9/zoorum-comments-admin.php#L38 -~~	() https://plugins.trac.wordpress.org/browser/zoorum-comments/tags/0.9/zoorum-comments-admin.php#L38 - Broken Link
References	~~() https://wordpress.org/plugins/zoorum-comments/ -~~	() https://wordpress.org/plugins/zoorum-comments/ - Product
References	~~() https://www.wordfence.com/threat-intel/vulnerabilities/id/2b58fb0f-c7ac-4ee6-84f1-ac14617a7c2b?source=cve -~~	() https://www.wordfence.com/threat-intel/vulnerabilities/id/2b58fb0f-c7ac-4ee6-84f1-ac14617a7c2b?source=cve - Third Party Advisory
Summary		(es) El complemento Zoorum Comments para WordPress es vulnerable a Cross-Site Request Forgery en todas las versiones hasta la 0.9 incluida. Esto se debe a la falta o a una validación incorrecta de nonce en la función zoorum_set_options(). Esto permite que atacantes no autenticados actualicen la configuración e inyecten scripts web maliciosos mediante una solicitud falsificada, ya que pueden engañar al administrador del sitio para que realice una acción como hacer clic en un enlace.
CWE		CWE-352

15 Mar 2025, 04:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-15 04:15

Updated : 2025-03-28 19:46

NVD link : CVE-2025-2163

Mitre link : CVE-2025-2163

CVE.ORG link : CVE-2025-2163

JSON object : View

Products Affected

zoorum

zoorum_comments

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-352

Cross-Site Request Forgery (CSRF)

6.1 /10