← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2025-22300 · CWE-352 · Disclosed 2025-01-07

Cross-Site Request Forgery

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a forged sticky note slipped under an admin’s door, not a skeleton key

CVE-2025-22300 is a CSRF flaw in the WordPress plugin PixelYourSite – Your smart PIXEL (TAG) Manager. Affected versions are <= 10.0.1.2, and the fix landed in 10.0.2. Third-party analysis attributes the issue to missing or incorrect nonce validation in the plugin's init() path, which means an attacker can craft a request that changes plugin settings if a privileged WordPress user submits it while authenticated.

The vendor's MEDIUM 5.4 score is defensible in a vacuum, but for enterprise patch triage it overstates urgency. This is not unauthenticated internet-to-RCE; it is user-interaction-required admin-session riding against a single plugin's settings surface. Broad install base matters, but the practical exploit chain still depends on luring a logged-in admin and only yields configuration tampering, so this drops into LOW for most 10,000-host programs.

"A real bug, but it needs an already-logged-in admin to take the bait and only buys settings tampering."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Find a site running the plugin

The attacker first identifies a WordPress site that likely uses PixelYourSite, typically through front-end artifacts, plugin fingerprinting, or broader WordPress recon using tools like wpscan or browser-source inspection. This is not a network-edge service exploit; the plugin usually rides behind the normal web application.
Conditions required:
  • Target runs WordPress with PixelYourSite installed
  • Attacker can reach the public site or otherwise profile it
Where this breaks in practice:
  • Plugin presence is not always cleanly fingerprintable from the internet
  • Internet scanners like Shodan/Censys do not reliably expose plugin-version precision for WordPress plugins
Detection/coverage: External ASM and WordPress-focused scanners may identify the plugin slug, but version-level certainty often requires authenticated inventory, WP-CLI, file inspection, or a vulnerability plugin/feed.
STEP 02

Lure an authenticated admin

The attacker needs a privileged WordPress user to be logged in and then browse to attacker-controlled content or click a crafted link. Typical tooling is just a malicious HTML form, auto-submit JavaScript, or a phishing page; Burp Suite or raw curl is enough to build the request.
Conditions required:
  • A site administrator or equivalent privileged user is authenticated to WordPress
  • The attacker can deliver a link, page, or embedded content to that user
Where this breaks in practice:
  • This is post-delivery social engineering, not direct exploitation
  • Email security, browser isolation, user caution, and short admin sessions all reduce success
  • Many enterprises separate admin workstations from general browsing
Detection/coverage: No generic network scanner will prove exploitability here. Detection is mostly indirect: suspicious referrers, unusual admin POSTs, or web logs showing settings changes without normal admin navigation.
STEP 03

Replay a forged settings request

Because the vulnerable code path lacks proper nonce validation, the victim browser can submit a state-changing request under the admin's session. The browser automatically carries cookies, so WordPress treats the request as coming from the logged-in admin.
Conditions required:
  • The forged request hits the vulnerable settings-changing endpoint or handler
  • The victim session is still valid when the request is sent
Where this breaks in practice:
  • Any additional capability checks or workflow constraints can narrow what actually changes
  • Admin nonce hardening elsewhere in the platform can limit adjacent abuse, even if this handler is weak
Detection/coverage: Web application logging can catch anomalous admin POSTs. WAFs rarely help much against same-origin-looking, authenticated form submissions unless there are very specific signatures.
STEP 04

Modify plugin behavior

Successful exploitation changes PixelYourSite configuration rather than taking over the server. That can disrupt analytics, alter tracking behavior, or create privacy/compliance headaches; depending on which settings are writable, it may also let an attacker weaken telemetry integrity or inject business-impacting misconfiguration.
Conditions required:
  • The targeted setting is reachable through the vulnerable request
  • The admin account used has permission to alter plugin options
Where this breaks in practice:
  • Impact stays bounded to the plugin's option space, not arbitrary code execution
  • Modern configuration monitoring or content-change alerts may expose unexpected admin changes quickly
Detection/coverage: WordPress audit logs, file-integrity/config drift monitoring, and security plugins that track option changes can surface this. Traditional CVE scanners will not tell you whether exploitation already happened.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo public evidence of active exploitation found. OpenCVE surfaces CISA ADP SSVC metadata with Exploitation: none and Automatable: no, which matches the low-utility CSRF profile.
KEV statusNot KEV-listed per the user-supplied intel block; this also aligns with the absence of exploitation indicators in the public record and the non-automatable ADP assessment.
PoC availabilityNo widely indexed public PoC/exploit repo found in common public sources during review. This is easy to reproduce with a handcrafted HTML form or Burp Suite, but there is no notable mass-exploitation tooling signal.
EPSS0.0009 from the user-supplied intel block — effectively background noise. Public mirrors place it in the low-percentile range as well, reinforcing that attackers are not lining up for this bug.
CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L — the decisive term is UI:R. No user interaction, no bug.
Affected versionsAll versions through 10.0.1.2 are affected. Patchstack, Wordfence, and the CNA record all agree on that range.
Fixed version10.0.2 is the first fixed release. The WordPress.org changelog dated 2024-12-04 notes Security enhancements, which lines up with the advisory's patched version.
Exposure populationThe plugin currently shows 500,000+ active installations on WordPress.org, so the population is large. But exposure is application-level and admin-workflow dependent, not a directly scannable edge service.
Root cause / impactThird-party analysis attributes the flaw to missing or incorrect nonce validation in init(), allowing settings modification via forged request if an attacker can trick a logged-in administrator.
Disclosure / creditCVE published 2025-01-07 in NVD/CVE records; Patchstack lists report date 2024-11-27 and credits Dhabaleshwar Das.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to LOW (3.2/10)

The single biggest downward driver is that exploitation requires a logged-in privileged WordPress user to be tricked into sending the request. That attacker-position requirement makes this a social-engineering-assisted configuration bug, not a scalable initial-access primitive.

HIGH Exploit preconditions and patched version
MEDIUM Exact downstream business impact from settings tampering

Why this verdict

  • Downgrade for attacker position: despite PR:N in CVSS, the real-world chain still needs an already-authenticated admin session, which implies the attacker must first reach a privileged user rather than the server itself.
  • Downgrade for population actually reachable by the exploit step: 500k+ installs is broad, but only the subset where admins can be lured while logged in is exploitable; that is a much narrower operational population than the install count suggests.
  • Downgrade for tool friction: modern email security, browser isolation, short-lived admin sessions, and separate admin workstations often break the lure step before the forged request lands.
  • Keep above IGNORE because blast radius is still real: Pixel/analytics settings can affect tracking integrity, privacy posture, and business reporting, so this is not a fake bug or a harmless edge case.

Why not higher?

There is no evidence here of unauthenticated code execution, privilege escalation on the server, or a direct internet-reachable edge exploit. The exploit chain is fragile because it depends on user interaction by a privileged admin and only changes plugin settings, so this does not belong in MEDIUM-or-higher Monday-morning fire-drill territory.

Why not lower?

This is still a legitimate, patched vulnerability in a plugin with a very large deployment base. If the writable options are abused, you can lose integrity in analytics and compliance-relevant tracking behavior, so documenting and eventually fixing it is warranted rather than dismissing it outright.

05 · Compensating Control

What to do — in priority order.

  1. Restrict admin browsing — Have WordPress administrators perform plugin administration only from dedicated admin profiles or workstations, and avoid casual browsing while logged in. For a LOW verdict there is no mitigation SLA; treat this as backlog hygiene and fold the control into normal admin-hardening practice.
  2. Turn on WordPress audit logging — Log plugin-option changes and admin POST activity so forged settings changes are visible after the fact. For LOW, there is no mitigation SLA; add this in the next normal monitoring improvement cycle if not already present.
  3. Use security plugins with admin-change monitoring — WordPress-focused security tooling can alert on plugin setting changes, which is more useful here than generic perimeter blocking. For LOW, there is no mitigation SLA; deploy as part of regular platform hygiene.
  4. Shorten admin session exposure — Reduce persistent logged-in admin sessions and require reauthentication for privileged work where feasible. That directly attacks the CSRF precondition by shrinking the window in which a lure can reuse the victim's cookies.
What doesn't work
  • A network firewall does not meaningfully help because the malicious request rides over the victim's legitimate browser session to the normal website endpoint.
  • A signature-only WAF is weak here because the forged request can look like an ordinary authenticated admin form submission.
  • MFA at login is good baseline hygiene but does not stop CSRF once the administrator is already logged in and the browser will send the session cookie.
06 · Verification

Crowdsourced verification payload.

Run this on the WordPress host or inside the container/VM that serves the site. Invoke it as bash check-pixelyoursite-cve-2025-22300.sh /var/www/html or point it directly at the plugin directory; it needs read access to the WordPress files only, not root.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check-pixelyoursite-cve-2025-22300.sh
# Detect whether the installed PixelYourSite plugin version is affected by CVE-2025-22300.
# Usage:
#   bash check-pixelyoursite-cve-2025-22300.sh /var/www/html
#   bash check-pixelyoursite-cve-2025-22300.sh /var/www/html/wp-content/plugins/pixelyoursite
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN

set -u

TARGET="${1:-}"
if [ -z "$TARGET" ]; then
  echo "UNKNOWN - provide WordPress root or plugin directory path"
  exit 2
fi

PLUGIN_DIR=""
MAIN_FILE=""

if [ -d "$TARGET/wp-content/plugins/pixelyoursite" ]; then
  PLUGIN_DIR="$TARGET/wp-content/plugins/pixelyoursite"
elif [ -d "$TARGET" ] && [ -f "$TARGET/pixelyoursite.php" ]; then
  PLUGIN_DIR="$TARGET"
else
  echo "UNKNOWN - PixelYourSite plugin directory not found at target path"
  exit 2
fi

MAIN_FILE="$PLUGIN_DIR/pixelyoursite.php"
if [ ! -r "$MAIN_FILE" ]; then
  echo "UNKNOWN - cannot read $MAIN_FILE"
  exit 2
fi

VERSION=$(awk -F': ' 'BEGIN{IGNORECASE=1} /^Version:[[:space:]]*/ {gsub(/\r/,"",$2); print $2; exit}' "$MAIN_FILE")
if [ -z "$VERSION" ]; then
  VERSION=$(grep -Eoi "Version:[[:space:]]*[0-9]+(\.[0-9]+)+" "$MAIN_FILE" | head -n1 | sed -E 's/Version:[[:space:]]*//I')
fi

if [ -z "$VERSION" ]; then
  echo "UNKNOWN - could not determine installed plugin version"
  exit 2
fi

verlte() {
  # returns 0 if $1 <= $2
  [ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)" = "$1" ]
}

if verlte "$VERSION" "10.0.1.2"; then
  echo "VULNERABLE - PixelYourSite version $VERSION (affected: <= 10.0.1.2, fixed: 10.0.2+)"
  exit 1
fi

if verlte "10.0.2" "$VERSION"; then
  echo "PATCHED - PixelYourSite version $VERSION"
  exit 0
fi

echo "UNKNOWN - detected version $VERSION but comparison was inconclusive"
exit 2
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning: query your WordPress fleet for the pixelyoursite plugin and identify anything on 10.0.1.2 or earlier, but do not let this jump the queue ahead of remotely exploitable flaws. For a LOW noisgate verdict there is no noisgate mitigation SLA and no noisgate remediation SLA — treat it as backlog hygiene, fold admin-session hardening into normal platform controls, and push the vendor update to 10.0.2+ in your next scheduled WordPress/plugin maintenance cycle rather than an emergency change window.

Sources

  1. NVD CVE-2025-22300
  2. Patchstack advisory for PixelYourSite <= 10.0.1.2
  3. Wordfence vulnerability record
  4. WordPress.org plugin page and changelog
  5. OpenCVE record with CNA and CISA ADP metadata
  6. Rapid7 vulnerability database entry
  7. CISA Known Exploited Vulnerabilities catalog
  8. FIRST EPSS API documentation
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.