CVE-2025-3097: 
WordPress vulnerability analysis and mitigation

The wp Time Machine plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability affecting all versions up to and including 3.4.0. The vulnerability was discovered and disclosed on April 2, 2025, and has been assigned identifier CVE-2025-3097. The plugin has been temporarily closed pending a full security review (WordPress Plugin, NVD).

The vulnerability stems from missing or incorrect nonce validation on the 'wpTimeMachineCore.php' page. The CVSS v3.1 base score is 6.1 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability can be exploited remotely, requires low attack complexity, needs no privileges, but does require user interaction (NVD).

The vulnerability allows unauthenticated attackers to update settings and inject malicious web scripts through forged requests, provided they can trick a site administrator into performing specific actions such as clicking on a malicious link (NVD).

As of April 1, 2025, the plugin has been temporarily closed and is not available for download pending a full security review. Users are advised to disable and remove the plugin until a patched version becomes available (WordPress Plugin).