CVE-2025-60208 HIGH

CVE-2025-60208: WordPress Advanced Custom Fields : CPT Options Pages plugin <= 2.0.9 - Cross Site Request Forgery (CSRF) vulnerability

Vendor Tusko Trush
Product Advanced Custom Fields : CPT Options Pages
Weakness CWE-352 · CSRF
Published October 22, 2025
Last update April 28, 2026
View on NVD All CVEs

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Cross-Site Request Forgery (CSRF) vulnerability in Tusko Trush Advanced Custom Fields : CPT Options Pages acf-cpt-options-pages allows Object Injection.This issue affects Advanced Custom Fields : CPT Options Pages: from n/a through <= 2.0.9.

Key dates

02Disclosure timeline

October 22, 2025 CVE published
April 28, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2019-1764 Cisco IP Phone 8800 Series Cross-Site Request Forgery Vulnerability CVE-2024-54427 WordPress Category of Posts plugin <= 1.0 - CSRF to Stored XSS vulnerability CVE-2024-49250 WordPress Table of Contents Plus plugin <= 2408 - Cross Site Request Forgery (CSRF) vulnerability CVE-2022-37405 WordPress Better Font Awesome plugin <= 2.0.1 - Cross-Site Request Forgery (CSRF) vulnerability CVE-2025-47543 WordPress TrueBooker plugin <= 1.0.7 - Cross Site Request Forgery (CSRF) Vulnerability