CVE-2025-57918 HIGH

CVE-2025-57918: WordPress LinkedInclude Plugin <= 3.0.4 - Cross Site Request Forgery (CSRF) Vulnerability

Vendor Era404
Product LinkedInclude
Weakness CWE-352 · CSRF
Published September 22, 2025
Last update May 13, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

Cross-Site Request Forgery (CSRF) vulnerability in ERA404 LinkedInclude linkedinclude allows Stored XSS.This issue affects LinkedInclude: from n/a through <= 3.0.4.

Explanation of Vulnerability in Simple Terms

02Summary

LinkedInclude versions up to 3.0.4 contain a cross-site request forgery (CSRF) vulnerability that allows attackers to perform unauthorized actions on behalf of site visitors. The vulnerability requires user interaction—typically clicking a malicious link or visiting a compromised page. Successful exploitation can result in unauthorized changes to site data or configuration.

What an attacker can do

03Attacker Capabilities

Perform unauthorized actions on the site by tricking a visitor into clicking a malicious link.

Potential impact on your site

04Site Impact

Attackers can modify site settings or data without your knowledge if a logged-in user visits a malicious page.

Conditions required to exploit

05Prerequisites

Victim must click a link or visit a page controlled by the attacker while logged into the site.

Key dates

06Disclosure timeline

September 22, 2025 CVE published
May 13, 2026 Record updated