CVE-2025-9882: 
WordPress vulnerability analysis and mitigation

The osTicket WP Bridge plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability in versions up to and including 1.9.2. The vulnerability was discovered and disclosed on September 20, 2025. The issue affects the plugin's configuration functionality and stems from missing or incorrect nonce validation (NVD).

The vulnerability is classified as a Cross-Site Request Forgery (CWE-352) with a CVSS v3.1 base score of 6.1 (Medium). The attack vector is network-based (AV:N), requires low attack complexity (AC:L), needs no privileges (PR:N), requires user interaction (UI:R), and has a changed scope (S:C) with low confidentiality and integrity impact (C:L/I:L) and no availability impact (A:N) (NVD, Wordfence).

The vulnerability allows unauthenticated attackers to update settings and inject malicious web scripts through forged requests. This is possible when they can trick a site administrator into performing specific actions, such as clicking on a malicious link (NVD).

Users should upgrade to a version newer than 1.9.2 when available. As the plugin has been temporarily closed for security review as of September 17, 2025, administrators should consider disabling the plugin until an updated version is released (WordPress Plugin).