A serious vulnerability (CVE-2025-8592) has been found in the Inspiro WordPress theme, affecting over 70,000 sites. The flaw allows unauthenticated attackers to exploit a Cross-Site Request Forgery (CSRF) bug and install plugins without admin consent.
Disclosed on August 20, 2025, the issue stems from missing nonce validation in the inspiro_install_plugin() function. Attackers can trick logged-in admins into clicking malicious links, hijacking their session to install unauthorized plugins.
Rated 8.1 (High) on the CVSS scale, the bug requires no login and minimal user interaction, making it easy to exploit. Researcher Dmitrii Ignatyev flagged the threat, and Wordfence warned of its potential for serious site compromise.
WPZoom patched the flaw in version 2.1.3. Users on earlier versions should update immediately. The incident highlights ongoing risks in third-party WordPress themes and the importance of timely patching and security monitoring.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
