What the vulnerability does
01Description
Cross-Site Request Forgery (CSRF) vulnerability in grooni Groovy Menu groovy-menu-free allows Cross Site Request Forgery.This issue affects Groovy Menu: from n/a through <= 1.4.3.
CVE-2025-60113
MEDIUM
CVE-2025-60113: WordPress Groovy Menu Plugin <= 1.4.3 - Cross Site Request Forgery (CSRF) Vulnerability
CVSS base score
4.3/10
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Explanation of Vulnerability in Simple Terms
02Summary
Groovy Menu versions up to 1.4.3 contain a cross-site request forgery (CSRF) vulnerability that allows attackers to perform unauthorized actions on behalf of site visitors. An attacker can craft a malicious link or page that, when visited by a logged-in user, triggers unwanted changes to menu settings or configuration. The vulnerability requires user interaction—the victim must click a link or visit a page—and does not expose sensitive data.
What an attacker can do
03Attacker Capabilities
Perform unauthorized menu configuration changes on behalf of a logged-in site visitor.
Potential impact on your site
04Site Impact
Menu settings could be altered without your knowledge if an admin or editor visits a malicious link while logged in.
Conditions required to exploit
05Prerequisites
Victim must be logged in and click an attacker-controlled link or visit a malicious page.
Key dates
06Disclosure timeline
September 26, 2025
CVE published
April 28, 2026
Record updated
External resources
07References
Related vulnerabilities
08Related CVE
CVE-2025-23803 WordPress Snippy Plugin <= 1.4.1 - CSRF to Cross Site Scripting (XSS) vulnerability
CVE-2025-23703 WordPress Free MailClient FMC plugin <= 1.0 - CSRF to Stored XSS vulnerability
CVE-2024-23910
CVE-2025-28964 WordPress Personal Favicon plugin <= 2.0 - CSRF to Stored XSS vulnerability
CVE-2024-23519 WordPress Email Before Download Plugin <= 6.9.7 is vulnerable to Cross Site Request Forgery (CSRF)
