cleantalk
Vulnerabilities and Security Researches

ContentMX Content Publisher, CVE-2025-9889

CVE, Research URL

CVE-2025-9889

Home page URL

Security reports for ContentMX Content Publisher

Application

ContentMX Content Publisher

Published on
Oct 03, 2025
Research Description
The ContentMX Content Publisher plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing or incorrect nonce validation on the cmx_activate_connection function. This makes it possible for unauthenticated attackers to bind their own ContentMX connection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions
max 1.0.7.
Status
vulnerable
Previous vulnerability researches
CI HUB Connector (CVE-2026-4353) , Apr 23, 2026
New vulnerability
Deliver via Shipos for WooCommerce (CVE-2025-57914) , Apr 23, 2026
DethemeKit For Elementor (CVE-2025-57995) , Apr 23, 2026
Uncanny Toolkit for LearnDash (CVE-2025-57988) , Apr 23, 2026
Enter Addons – Ultimate Template Builder for Elementor (CVE-2025-8687) , Apr 23, 2026
Maspik – Spam Blacklist (CVE-2025-9888) , Apr 23, 2026