CVE-2025-9874: 
WordPress vulnerability analysis and mitigation

The Sitecore.Security.AntiCSRF module in Sitecore CMS and Experience Platform (XP) contains a critical deserialization vulnerability (CVE-2025-9874) that allows unauthenticated attackers to execute arbitrary code. The vulnerability affects Sitecore CMS versions 7.0 to 7.2 and Sitecore XP versions 7.5 to 8.2. The flaw was discovered in March 2025 and added to CISA's Known Exploited Vulnerabilities (KEV) catalog on March 26, 2025, with a remediation deadline of April 16, 2025 (CISA KEV, Hacker News).

The vulnerability exists in the Sitecore.Security.AntiCSRF module and can be exploited by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN. The flaw has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating its severe nature and ease of exploitation. The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) (NVD).

Successful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary code on the affected system, potentially leading to complete system compromise. The high CVSS score reflects the critical nature of the vulnerability, with potential impacts on the confidentiality, integrity, and availability of the affected systems (CISA KEV).

Organizations are required to apply vendor-provided patches or follow applicable BOD 22-01 guidance for cloud services. If mitigations are unavailable, CISA recommends discontinuing use of the affected products (CISA KEV).

Sitecore acknowledged the active exploitation of CVE-2025-9874 in an update shared on March 30, 2025. The security community has expressed concern about the critical nature of the vulnerability and its active exploitation status (Hacker News).