CVE-2025-7684: 
WordPress vulnerability analysis and mitigation

The Last.fm Recent Album Artwork plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability, identified as CVE-2025-7684, affecting all versions up to and including 1.0.2. The vulnerability was discovered and reported on August 15, 2025, with a CVSS v3.1 base score of 6.1 (Medium) (Wordfence).

The vulnerability stems from missing or incorrect nonce validation on the 'lastfm_albums_artwork.php' page. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating that the vulnerability can be exploited remotely with low attack complexity, requires no privileges but does need user interaction, and can result in low-level confidentiality and integrity impacts (NVD).

If successfully exploited, the vulnerability allows unauthenticated attackers to update settings and inject malicious web scripts through forged requests. The impact is contingent upon tricking a site administrator into performing specific actions, such as clicking on a malicious link (NVD).

The plugin has been temporarily closed as of August 14, 2025, pending a full security review. Users are advised to disable and remove the plugin until a patched version becomes available (WordPress Plugin).