CVE-2025-12028

Name of the Vulnerable Software and Affected Versions WordPress IndieAuth plugin versions prior to 4.5.4

Description The software is susceptible to Cross-Site Request Forgery (CSRF) due to missing nonce verification. Specifically, the login form indieauth() function and the authorization endpoint at ''wp-login.php?action=indieauth'' lack proper validation. This allows an attacker to force authenticated users to approve OAuth authorization requests for applications controlled by the attacker. Successful exploitation requires tricking a user into performing an action while logged in, such as clicking a malicious link. The attacker can then exchange the stolen authorization code for an access token, potentially gaining control of the victim’s account with the granted scopes.

Recommendations Update to a version newer than 4.5.4. As a temporary workaround, consider disabling the login form indieauth() function until a patch is available. Restrict access to the authorization endpoint ''wp-login.php?action=indieauth'' to minimize the risk of exploitation.