CVE-2025-54694: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in bPlugins Button Block WordPress plugin, affecting versions through 1.2.0. The vulnerability was discovered by Nguyen Xuan Chien and was publicly disclosed on July 30, 2025 (Wordfence Intel, Patchstack).

The vulnerability has been assigned CVE-2025-54694 and is classified as CWE-352 (Cross-Site Request Forgery). It received a CVSS v3.1 score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N, indicating network accessibility, low attack complexity, no privileges required, and user interaction required (NVD, Patchstack).

This vulnerability could allow malicious actors to force higher privileged users to execute unwanted actions under their current authentication. The severity is considered low, with limited impact on integrity and no direct impact on confidentiality or availability (Patchstack).

The vulnerability has been fixed in version 1.2.1 of the Button Block plugin. Users are advised to update to version 1.2.1 or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins (Patchstack).