CVE-2025-9621: 
WordPress vulnerability analysis and mitigation

The WidgetPack Comment System plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to, and including, 1.6.1. This vulnerability was disclosed on October 11, 2025, and has been assigned CVE-2025-9621. The vulnerability affects the wpcmtsync action in the wpcmtrequest_handler function due to missing or incorrect nonce validation (NVD).

The vulnerability stems from improper security controls in the wpcmtrequesthandler function, specifically around the wpcmt_sync action. The CVSS v3.1 Base Score is 4.3 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. This indicates that the vulnerability can be exploited remotely, requires low attack complexity, needs no privileges, but does require user interaction (Wordfence).

If successfully exploited, this vulnerability allows unauthenticated attackers to trigger comment synchronization events through forged requests. The impact is limited but could potentially affect the integrity of the comment system if an administrator is tricked into performing specific actions (NVD).

Website administrators running the affected versions of WidgetPack Comment System should update to a version newer than 1.6.1 when available. In the meantime, administrators should be cautious about clicking on unknown links and exercise additional scrutiny when performing comment system-related actions (NVD).