CVE-2025-22325: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the Nik Chankov Autocompleter WordPress plugin, affecting all versions up to and including 1.3.5.2. The vulnerability was initially reported on October 16, 2024, and was publicly disclosed on January 3, 2025. This security issue has been assigned CVE-2025-22325 (WPScan, Patchstack).

The vulnerability stems from missing or incorrect nonce validation on a function within the Autocompleter plugin. The severity of this vulnerability has been assessed with multiple CVSS scores: Patchstack assigned a CVSS 3.1 Base Score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, while WPScan rated it at 6.1 (medium). The vulnerability has been classified under CWE-352 (Cross-Site Request Forgery) (NVD).

The vulnerability allows unauthenticated attackers to update settings and inject malicious web scripts through forged requests. The attack can be successful if an attacker manages to trick a site administrator into performing specific actions, such as clicking on a malicious link. The vulnerability enables both CSRF and potential stored XSS attacks (WPScan).

Currently, there is no official fix available for this vulnerability. The issue affects versions up to and including 1.3.5.2, and no patched version has been released yet. Patchstack has classified this as a low-priority vulnerability and indicates that virtual patching is unnecessary (Patchstack).