CVE-2025-60156: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in webandprint AR For WordPress plugin, affecting versions up to 7.98. The vulnerability was reported on July 26, 2025, by security researcher Abu Hurayra and was publicly disclosed on September 26, 2025. The vulnerability has been assigned identifier CVE-2025-60156 (Patchstack).

The vulnerability is classified as a Cross-Site Request Forgery (CSRF) issue, identified as CWE-352. It received a CVSS v3.1 base score of 9.6 (CRITICAL) with the following vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. This scoring indicates that the vulnerability is network-accessible, requires low attack complexity, needs no privileges, but does require user interaction (Patchstack).

The vulnerability could allow malicious actors to force higher privileged users to execute unwanted actions under their current authentication. The critical CVSS score of 9.6 indicates potential for severe impact, with high ratings for confidentiality, integrity, and availability (Patchstack).

As of the disclosure date, no official fix has been released for this vulnerability. The issue affects versions up to 7.98, and users are advised to monitor for updates from the plugin developer (Patchstack).