CVE-2025-13408
Published
CVSS v3
4.3
MEDIUM
CVSS v2
N/A
Affected
1
PROJECT
Description
The Foxtool All-in-One: Contact chat button, Custom login, Media optimize images plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2. This is due to missing or incorrect nonce validation on the foxtool_login_google() function. This makes it possible for unauthenticated attackers to establish an OAuth Connection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
<p>Foxtool is a product developed based on the real needs of managing WordPress websites. After a period of development, Foxtool has become an indispensable plugin for website administrators.</p>
<p>The plugin boasts notable features including:</p>
<ul>
<li>Website optimization</li>
<li>Advanced security</li>
<li>Management tools</li>
<li>Customizable display</li>
<li>Powerful media management</li>
<li>Handy tools for Posts and Pages</li>
<li>Mail application</li>
<li>Woocommerce convenience</li>
<li>User permissions</li>
<li>Customizable WordPress login</li>
<li>Integration with Google services</li>
<li>Chat functionality</li>
<li>Information management</li>
</ul>
<p>Additionally, there are many other useful features that help save time for users. All are optimized to ensure stable and fast performance for your WordPress website</p>
<h3>From within WordPress</h3>
<ol>
<li>Visit ‘Plugins > Add New’</li>
<li>Search for ‘Foxtool’</li>
<li>Activate ‘Foxtool’ from your Plugins page.</li>
</ol>
<h3>Manually</h3>
<ol>
<li>Upload the ‘foxtool’ folder to the ‘/wp-content/plugins/’ directory</li>
<li>Activate the ‘Foxtool’ plugin through the ‘Plugins’ menu in WordPress</li>
<li>Go to “after activation” below.</li>
</ol>
WordPress Plugin Directory