CVE-2025-54728: 
WordPress vulnerability analysis and mitigation

Cross-Site Request Forgery (CSRF) vulnerability affects CreativeMindsSolutions CM On Demand Search And Replace WordPress plugin versions through 1.5.2. The vulnerability was discovered by Bao - BlueRock and publicly disclosed on August 14, 2025. This security issue allows Cross Site Request Forgery attacks against the plugin functionality (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. This indicates the vulnerability is network accessible, requires low attack complexity, needs no privileges, requires user interaction, has unchanged scope, and can impact integrity but not confidentiality or availability. The vulnerability is tracked as CWE-352 (Cross-Site Request Forgery) (AttackerKB, Patchstack).

The CSRF vulnerability could allow malicious actors to force higher privileged users to execute unwanted actions under their current authentication. The severity is considered low, with primary impact on system integrity (Patchstack).

The vulnerability has been fixed in version 1.5.3 of the CM On Demand Search And Replace plugin. Users are advised to update to version 1.5.3 or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins (Patchstack).