CVE-2025-25138: 
WordPress vulnerability analysis and mitigation

Cross-Site Request Forgery (CSRF) vulnerability was discovered in Rishi On Page SEO + Whatsapp Chat Button through version 2.0.0. The vulnerability allows attackers to perform Stored Cross-Site Scripting (XSS) attacks. This security issue was disclosed on February 7, 2025, and affects the On Page SEO + Whatsapp Chat Button WordPress plugin (NVD, Patchstack).

The vulnerability has been assigned a CVSS v3.1 Base Score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The issue is classified as CWE-352 (Cross-Site Request Forgery). The vulnerability stems from missing or incorrect nonce validation on a function, which allows for CSRF attacks that can lead to stored XSS (WPScan).

The vulnerability enables unauthenticated attackers to update settings and inject malicious web scripts via forged requests, provided they can trick a site administrator into performing specific actions such as clicking on a malicious link (Patchstack).

Currently, there is no official fix available for this vulnerability. Users of the affected plugin versions (2.0.0 and earlier) should consider implementing additional security measures or temporarily disabling the plugin until a patch is released (Patchstack).