More than 70,000 websites using the Inspiro WordPress theme are impacted by the high-severity cross-site request forgery flaw, tracked as CVE-2025-8592, which could be leveraged to enable unauthorized plugin installations, The Cyber Express reports.
Attackers could leverage the vulnerability, which arises from improper nonce validation in the inspiro_install_plugin() function, to lure website administrators into clicking a nefarious link that would then allow unwanted plugin injections, according to WordPress security firm Wordfence. Moreover, CleanTalk's Dmitrii Ignatyev, who identified the CSRF defect, emphasized potential exploitation even by low-level threat actors owing to the flaw's lack of any authentication requirement. Admins of all affected websites have been advised to install Inspiro version 2.1.3 to resolve the security issue, as well as to continuously track vulnerability databases and security advisories. Such a development highlights that optimal project maintenance would not completely prevent security issues.
Attackers could leverage the vulnerability, which arises from improper nonce validation in the inspiro_install_plugin() function, to lure website administrators into clicking a nefarious link that would then allow unwanted plugin injections, according to WordPress security firm Wordfence. Moreover, CleanTalk's Dmitrii Ignatyev, who identified the CSRF defect, emphasized potential exploitation even by low-level threat actors owing to the flaw's lack of any authentication requirement. Admins of all affected websites have been advised to install Inspiro version 2.1.3 to resolve the security issue, as well as to continuously track vulnerability databases and security advisories. Such a development highlights that optimal project maintenance would not completely prevent security issues.
