CVE-2025-10301: 
WordPress vulnerability analysis and mitigation

The vulnerability identified as CVE-2025-10301 affects the FunKItools WordPress plugin versions up to and including 1.0.2. The vulnerability was discovered by Nabil Irawan from Heroes Cyber and was publicly disclosed on October 14, 2025. This security issue has been classified as a Cross-Site Request Forgery (CSRF) vulnerability that specifically impacts the plugin's settings update functionality (NVD NIST, Wordfence Intel).

The vulnerability stems from missing or incorrect nonce validation in the saveFields() function within the plugin's codebase. The issue has been assigned a CVSS v3.1 Base Score of 4.3 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. The vulnerability is categorized under CWE-352 (Cross-Site Request Forgery) (NVD NIST).

When exploited, this vulnerability allows unauthenticated attackers to modify plugin settings through forged requests. The attack can only succeed if an attacker manages to trick a site administrator into performing specific actions, such as clicking on a malicious link (NVD NIST).

As of October 15, 2025, this vulnerability remains unpatched. Site administrators running affected versions of the FunKItools plugin should consider temporarily disabling the plugin until a security update is available (Wordfence Weekly).