Homerunner, CVE-2025-5932
- CVE, Research URL
- Home page URL
- Application
- Published on
- Jun 26, 2025
- Research Description
- The Homerunner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.29. This is due to missing or incorrect nonce validation on the main_settings() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
- Affected versions
-
Min -, max 1.0.29.
- Status
-
vulnerable
| Previous vulnerability researches |
|---|
| SlickNav Mobile Menu (CVE-2023-51548) , Jun 07, 2024 |
| SlickNav Mobile Menu (8ac347471b50a1389d4769f6f81f6712a8065d8f) , Jun 07, 2024 |