CVE-2025-12188: 
WordPress vulnerability analysis and mitigation

The Posts Navigation Links for Sections and Headings – Free by WP Masters plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability, identified as CVE-2025-12188. The vulnerability was discovered and disclosed on November 4, 2025, affecting all versions up to and including 1.0.1. The plugin has been temporarily closed since October 30, 2025, pending a full security review (NVD, WordPress Plugin).

The vulnerability stems from missing or incorrect nonce validation on the 'wpmnavigationlinks_settings' page. This security flaw has been assigned a CVSS v3.1 Base Score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) (Wordfence).

The vulnerability allows unauthenticated attackers to modify the plugin's settings through forged requests, provided they can trick a site administrator into performing specific actions such as clicking on a malicious link (NVD).

The plugin has been temporarily closed and is not available for download pending a full security review. Users are advised to disable and remove the plugin until a patched version becomes available (WordPress Plugin).