CVE-2025-4198: 
WordPress vulnerability analysis and mitigation

The Alink Tap plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability affecting all versions up to and including 1.3.1. The vulnerability was discovered and reported on May 2, 2025, and has been assigned CVE-2025-4198. Due to the security concerns, the plugin has been temporarily closed and is not available for download pending a full security review (NVD Database, WordPress Plugin).

The vulnerability stems from missing or incorrect nonce validation on the 'alink-tap' page. The issue has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-352 (Cross-Site Request Forgery) (NVD Database, Wiz Report).

When exploited, this vulnerability allows unauthenticated attackers to update settings and inject malicious web scripts through forged requests. The attack requires user interaction, specifically tricking a site administrator into performing an action such as clicking on a malicious link (NVD Database).

As of May 1, 2025, the plugin has been temporarily closed and is not available for download pending a full security review. Users are advised to disable and remove the plugin until a patched version becomes available (WordPress Plugin).