cleantalk
Vulnerabilities and Security Researches

ContentMX Content Publisher, CVE-2025-9889

CVE, Research URL

CVE-2025-9889

Home page URL

Security reports for ContentMX Content Publisher

Application

ContentMX Content Publisher

Published on
Oct 03, 2025
Research Description
The ContentMX Content Publisher plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing or incorrect nonce validation on the cmx_activate_connection function. This makes it possible for unauthenticated attackers to bind their own ContentMX connection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions
max 1.0.7.
Status
vulnerable
Previous vulnerability researches
Course Booking Platform (CVE-2025-58887) , Sep 07, 2025
Booking Weir (2e61817c8a383fba887267b21f5423e453a335d3) , Jun 07, 2024
Booking Calendar – Clockwork SMS (CVE-2017-17780) , Jun 07, 2024
Booking Calendar – Clockwork SMS (CVE-2017-18555) , Jun 07, 2024
WP Booking (CVE-2024-35297) , Jun 07, 2024
New vulnerability
Team Slider and Team Grid Showcase plus Team Carousel (CVE-2026-6443) , Apr 23, 2026
Kama Click Counter (CVE-2025-58682) , Apr 23, 2026
Deliver via Shipos for WooCommerce (CVE-2025-57914) , Apr 23, 2026
DethemeKit For Elementor (CVE-2025-57995) , Apr 23, 2026
Uncanny Toolkit for LearnDash (CVE-2025-57988) , Apr 23, 2026