Attack Vectors

CVE-2025-31915 is a Medium-severity Cross-Site Request Forgery (CSRF) vulnerability (CVSS 5.4) affecting Pixel WordPress Form BuilderPlugin & Autoresponder (plugin slug: pixel-formbuilder) in versions <= 1.0.3.

This type of attack typically succeeds when an attacker can trick a logged-in site administrator into clicking a link or visiting a malicious page while they are authenticated to WordPress. Even though the attacker is unauthenticated, the admin’s active session can be abused to submit a request “as if” the admin intended it.

Official CVE record: https://www.cve.org/CVERecord?id=CVE-2025-31915

Security Weakness

The vulnerability is caused by missing or incorrect nonce validation on a plugin function. In WordPress, nonces are a key control to ensure that sensitive actions in the admin area are intentionally initiated by a legitimate user (and not silently triggered by a third-party webpage).

When nonce checks are absent or flawed, an attacker may be able to force unauthorized actions that the administrator has permission to perform—provided the admin can be persuaded to interact with attacker-controlled content (for example, clicking a link in an email or message).

Reference source: Wordfence Vulnerability Database entry

Technical or Business Impacts

Because CSRF abuses an administrator’s authority, the business impact can be disproportionate to the “Medium” rating—especially for sites that are revenue-generating or compliance-sensitive. Potential outcomes include unapproved configuration changes within the plugin and related workflow disruption (for example, changes that affect forms, lead capture, or autoresponder behavior), depending on the specific action exposed.

For marketing and operations teams, this can translate into lead handling issues (missed inquiries, altered form behavior), brand and trust risk (unexpected website behavior), and compliance concerns if web forms are used for regulated data collection and the site’s behavior changes without appropriate change control.

Remediation: Update Pixel WordPress Form BuilderPlugin & Autoresponder to version 1.0.4 or newer (patched). After updating, consider reviewing recent admin activity and ensuring administrators use strong authentication controls (for example, MFA) to reduce the impact of any successful social-engineering attempt.

Similar Attacks

CSRF has been a recurring issue across WordPress plugins because it often hinges on consistent use of nonce checks for admin-side actions. One example is CVE-2018-19207 (WP GDPR Compliance), which involved CSRF and demonstrated how admin-targeted requests can have serious downstream effects.