CVE-2021-25073: 
WordPress vulnerability analysis and mitigation

The WP125 WordPress plugin before version 1.5.5 contains a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2021-25073. The vulnerability was discovered by Krzysztof Zając and publicly disclosed on December 23, 2021. This security flaw affects the plugin's ad management functionality, specifically impacting installations running versions prior to 1.5.5 (WPScan).

The vulnerability stems from the absence of CSRF protection mechanisms in various actions within the plugin, particularly in the ad deletion functionality. The CVSS v3.1 base score is 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-352 (Cross-Site Request Forgery) (NVD).

When exploited, this vulnerability allows attackers to trick authenticated administrators into deleting advertisements from their website without their knowledge or consent through CSRF attacks. This can lead to unauthorized removal of advertising content, potentially causing revenue loss and disruption to the site's advertising operations (WPScan).

The vulnerability has been patched in version 1.5.5 of the WP125 plugin. Site administrators are strongly advised to update to this version or later to protect against potential CSRF attacks (WordPress Patch).