CVE-2025-23567: 
WordPress vulnerability analysis and mitigation

The GDReseller WordPress plugin versions up to and including 1.6 contain a Cross-Site Request Forgery (CSRF) vulnerability that was discovered on January 16, 2025. This security flaw allows unauthenticated attackers to perform actions on behalf of authenticated administrators by exploiting missing or incorrect nonce validation (WPScan, Patchstack).

The vulnerability stems from inadequate nonce validation in the plugin's functionality, which can lead to stored Cross-Site Scripting (XSS). The severity of this vulnerability has been assessed with a CVSS score of 6.1 (medium) according to WPScan, while Patchstack rates it at 7.1 (low). The vulnerability is classified under CWE-352 and falls into the OWASP Top 10 category A2: Broken Authentication and Session Management (WPScan, Patchstack).

If successfully exploited, this vulnerability allows attackers to update settings and inject malicious web scripts through forged requests, provided they can trick a site administrator into performing specific actions such as clicking on a malicious link (WPScan).

Currently, there is no official fix available for this vulnerability. The issue affects all versions of the GDReseller plugin up to and including version 1.6 (Patchstack).