CVE-2025-60113: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was identified in grooni Groovy Menu, affecting versions through 1.4.3. The vulnerability was discovered by Nguyen Xuan Chien and was publicly disclosed on September 26, 2025. The issue received the identifier CVE-2025-60113 and was assigned a CVSS v3.1 score of 4.3 (Medium) (Patchstack).

The vulnerability is classified as CWE-352 (Cross-Site Request Forgery) and received a CVSS v3.1 Base Score of 4.3 with the following vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. This indicates that the vulnerability is network-accessible, requires low attack complexity, needs no privileges, requires user interaction, has a limited impact on integrity, and does not affect confidentiality or availability (NVD).

The vulnerability could allow malicious actors to force higher privileged users to execute unwanted actions under their current authentication. The software is considered abandoned as it was last updated over a year ago and is unlikely to receive further updates or fixes (Patchstack).

As there is no official fix available, the recommended mitigation is to remove and replace the software with an alternative solution. It's important to note that merely deactivating the software does not remove the security threat unless a virtual patch is deployed (Patchstack).