CVE-2025-49381: 
WordPress vulnerability analysis and mitigation

Cross-Site Request Forgery (CSRF) vulnerability affects the ads.txt Guru Connect WordPress plugin versions up to and including 1.1.1. The vulnerability was discovered and reported by Nguyen Xuan Chien on July 17, 2025, and was publicly disclosed on August 20, 2025. This security issue has been assigned CVE-2025-49381 (Patchstack).

The vulnerability stems from missing or incorrect nonce validation on a function within the ads.txt Guru Connect plugin. The issue has been assigned a CVSS v3.1 Base Score of 9.6 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. The vulnerability is classified as CWE-352: Cross-Site Request Forgery (Rapid7).

This vulnerability allows unauthenticated attackers to perform unauthorized actions by tricking site administrators into performing specific actions, such as clicking on malicious links. The high CVSS score indicates potential for significant impact on the confidentiality, integrity, and availability of the affected system (Patchstack).

The vulnerability has been fixed in version 1.1.2 of the ads.txt Guru Connect plugin. Users are strongly advised to update to this version or later to remove the vulnerability. No alternative workarounds have been provided (Patchstack).