The RateMyAgent Official plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.0. This is due to missing or incorrect nonce validation on the 'rma-settings-wizard'. This makes it possible for unauthenticated attackers to update the plugin's API key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Thu, 06 Mar 2025 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Ratemyagent
Ratemyagent ratemyagent
CPEs cpe:2.3:a:ratemyagent:ratemyagent:*:*:*:*:*:wordpress:*:*
Vendors & Products Ratemyagent
Ratemyagent ratemyagent

Tue, 04 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 28 Feb 2025 04:45:00 +0000

Type Values Removed Values Added
Description The RateMyAgent Official plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.0. This is due to missing or incorrect nonce validation on the 'rma-settings-wizard'. This makes it possible for unauthenticated attackers to update the plugin's API key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title RateMyAgent Official <= 1.4.0 - Cross-Site Request Forgery to API Key Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2025-02-28T15:14:01.351Z

Reserved: 2025-01-28T14:45:28.388Z

Link: CVE-2025-0801

cve-icon Vulnrichment

Updated: 2025-02-28T15:13:57.316Z

cve-icon NVD

Status : Analyzed

Published: 2025-02-28T05:15:33.683

Modified: 2025-03-06T20:21:36.547

Link: CVE-2025-0801

cve-icon Redhat

No data.