CVE-2025-60208 in Advanced Custom Fields Plugininfo

Summary

by MITRE • 10/22/2025

Cross-Site Request Forgery (CSRF) vulnerability in Tusko Trush Advanced Custom Fields : CPT Options Pages acf-cpt-options-pages allows Object Injection.This issue affects Advanced Custom Fields : CPT Options Pages: from n/a through <= 2.0.9.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 10/23/2025

The CVE-2025-60208 vulnerability represents a critical cross-site request forgery flaw within the Tusko Trush Advanced Custom Fields CPT Options Pages plugin, specifically affecting versions up to and including 2.0.9. This vulnerability stems from inadequate validation and protection mechanisms in the plugin's handling of user requests, creating a pathway for malicious actors to exploit the system's trust model. The issue manifests as an object injection vulnerability that operates within the context of the WordPress content management system, where authenticated users with sufficient privileges can be tricked into executing unintended actions on behalf of the application.

The technical implementation of this CSRF vulnerability occurs when the plugin fails to properly validate the origin of requests made to its administrative endpoints. The object injection aspect suggests that malicious payloads can be crafted to manipulate the plugin's internal object structures, potentially leading to unauthorized modifications of configuration settings or data within the WordPress environment. This type of vulnerability falls under the CWE-352 category, which specifically addresses cross-site request forgery conditions where the application fails to validate that requests originate from legitimate sources. The vulnerability enables attackers to perform actions without the knowledge or consent of authenticated users, leveraging the trust relationship between the user's browser and the web application.

The operational impact of this vulnerability extends beyond simple data manipulation, as it can potentially allow attackers to escalate privileges within the WordPress environment. When combined with the object injection component, the vulnerability could enable attackers to inject malicious objects that might alter core plugin functionality or compromise the integrity of the entire WordPress installation. The affected plugin's role in managing custom post type options pages makes it particularly dangerous, as successful exploitation could allow attackers to modify critical configuration data that controls how content is displayed and managed within the site. This vulnerability directly impacts the principle of least privilege and can undermine the security model of the entire WordPress ecosystem.

Mitigation strategies for CVE-2025-60208 should prioritize immediate patching of the affected plugin to version 2.1.0 or later, where the CSRF protection mechanisms have been properly implemented. Security teams should implement additional protective measures including the enforcement of proper anti-CSRF tokens within all administrative endpoints, implementing strict request validation, and ensuring that all user actions require explicit confirmation through multi-factor authentication where possible. The vulnerability demonstrates the importance of proper input validation and the implementation of the principle of defense in depth, as outlined in the ATT&CK framework's application of privilege escalation techniques. Organizations should also consider implementing web application firewalls to detect and block suspicious requests, while conducting thorough security audits of all installed plugins to identify similar vulnerabilities that might exist in the broader WordPress ecosystem.

Responsible

Patchstack

Reservation

09/25/2025

Disclosure

10/22/2025

Moderation

accepted

CPE

ready

EPSS

0.00186

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!