CVE CyberSecurity Database News

CVE-2025-25103 - Cross-Site Request Forgery (CSRF) in bnielsen Indeed API (up to .5)

Poster -

Cross Site Request Forgery (CSRF) continues to make the headlines, and now it’s bnielsen’s Indeed API plugin’s turn. If you’re running any version of the Indeed API up to .5, you’re at risk due to CVE-2025-25103. In this post, we’ll break down what’s wrong, how the exploit works, and what you should do about it. If you use this API on your site — listen up.

What is CVE-2025-25103?

This is a CSRF vulnerability found in the "Indeed API" plugin by bnielsen. CSRF lets attackers trick someone already logged into your site into performing unwanted actions — like changing settings or importing jobs — simply by visiting a malicious web page.

Affected Component:
- Indeed API plugin by bnielsen

CSRF: Why Does It Matter?

When a plugin (like Indeed API) handles POST or GET requests from anywhere without confirming if the request came from a legitimate, logged-in user, bad things can happen. Someone can craft a form that, when visited, submits malicious data to your server as if you did it yourself.

If the admin is tricked into clicking a link or visiting a page loaded with a hidden form, that form can silently change plugin settings or trigger actions.

The Technical Details: What’s Wrong?

In code versions up to .5, key actions in the Indeed API plugin lack CSRF protection. WordPress has a built-in way to prevent CSRF: “nonces.” This plugin’s code does not check these nonces on sensitive actions like saving settings or importing job listings.

Example Vulnerable Code Snippet

// Example from the settings handler in version .5 and below
if (isset($_POST['submit'])) {
    update_option('indeed_api_key', $_POST['api_key']);
    update_option('indeed_publisher_id', $_POST['publisher_id']);
    // No check for current_user_can or nonce!
}

There’s no check that the request is genuine – and no wp_nonce_field() or check_admin_referer().

`html

https://victim.com/wp-admin/options-general.php?page=indeed-api">





The form auto-submits, changing the plugin’s API key & publisher ID to the attacker’s values.

4. The attacker can now control what jobs are imported, or potentially get access to sensitive data via their own API key.

An attacker can hijack job import settings, inserting their own job feeds or redirecting users.

- At worst: If additional features in the plugin are similarly exposed, they might gain access to more settings or perform further attacks as the admin.

Official References

- WordPress Plugin Page
- NVD: CVE-2025-25103 (Check as more info becomes public)
- CSRF in WordPress: A Primer


## How To Fix / Protect Yourself

1. Upgrade!
As of posting, there is no patched version. If a patch exists by the time you read this, update immediately.

2. Disable the Plugin
If an update isn’t available, deactivate the Indeed API plugin until a patch lands.

Here’s how the plugin should protect against CSRF

if (isset($_POST['submit']) && check_admin_referer('indeed_api_settings')) {
    update_option('indeed_api_key', sanitize_text_field($_POST['api_key']));
    update_option('indeed_publisher_id', sanitize_text_field($_POST['publisher_id']));
}

...and on the form

<?php wp_nonce_field('indeed_api_settings'); ?>

In Summary

- CVE-2025-25103 is an exploitable CSRF vulnerability in the bnielsen Indeed API plugin, up through version .5.
- It lets attackers change plugin settings via forged requests, if a logged-in admin visits an attacker-controlled page.
- Fix? Patch (when available) or disable plugin, and never trust input without WordPress’s nonce protection.

Stay safe, patch fast, and double-check your plugins!

For more technical details or to track the status, see CVE-2025-25103 at NVD, or follow the WordPress plugin page for updates.

*Feel free to share this post to help others stay secure!*

Timeline

Published on: 02/07/2025 10:15:15 UTC