{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14161", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-05T20:43:20.316Z", "datePublished": "2025-12-12T03:20:49.231Z", "dateUpdated": "2026-04-08T17:01:12.525Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:01:12.525Z"}, "affected": [{"vendor": "truefy", "product": "Truefy Embed", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Truefy Embed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the 'truefy_embed_options_update' settings update action. This makes it possible for unauthenticated attackers to update the plugin's settings, including the API key, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Truefy Embed <= 1.1.0 - Cross-Site Request Forgery to 'truefy_embed_options_update' Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/74ad664d-5cfa-481c-a318-30999c43e4ac?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/truefy-embed/trunk/truefy.php#L431"}, {"url": "https://plugins.trac.wordpress.org/browser/truefy-embed/tags/1.1.0/truefy.php#L431"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "dayea song"}], "timeline": [{"time": "2025-12-11T14:37:17.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-12T20:23:20.242389Z", "id": "CVE-2025-14161", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T18:14:25.133Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14161", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-12T20:23:20.242389Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-12T20:24:46.979Z"}}], "cna": {"title": "Truefy Embed <= 1.1.0 - Cross-Site Request Forgery to 'truefy_embed_options_update' Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "dayea song"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "truefy", "product": "Truefy Embed", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-11T14:37:17.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/74ad664d-5cfa-481c-a318-30999c43e4ac?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/truefy-embed/trunk/truefy.php#L431"}, {"url": "https://plugins.trac.wordpress.org/browser/truefy-embed/tags/1.1.0/truefy.php#L431"}], "descriptions": [{"lang": "en", "value": "The Truefy Embed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the 'truefy_embed_options_update' settings update action. This makes it possible for unauthenticated attackers to update the plugin's settings, including the API key, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-12-12T03:20:49.231Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14161", "state": "PUBLISHED", "dateUpdated": "2025-12-15T18:14:25.133Z", "dateReserved": "2025-12-05T20:43:20.316Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-12T03:20:49.231Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Truefy Embed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the 'truefy_embed_options_update' settings update action. This makes it possible for unauthenticated attackers to update the plugin's settings, including the API key, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-14161", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-12T04:15:48.770", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/truefy-embed/tags/1.1.0/truefy.php#L431"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/truefy-embed/trunk/truefy.php#L431"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/74ad664d-5cfa-481c-a318-30999c43e4ac?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T17:27:56.666258+00:00", "value": {"mitigation_remediation": ["Update the Truefy Embed plugin to the latest available release.", "If an upgrade is not available, deactivate or uninstall the plugin to prevent further configuration changes.", "Educate site administrators not to click on unknown or suspicious links while logged into the WordPress admin area."], "summary": {"action": "Patch Now", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "All WordPress sites that use the Truefy Embed plugin version 1.1.0 or earlier are impacted. No specific WordPress core version is noted, so any installation running the affected plugin is at risk.", "description_and_impact": "The Truefy Embed plugin fails to perform nonce validation on the truefy_embed_options_update action, allowing an unauthenticated attacker to forge a request that causes an authenticated administrator to change the plugin\u2019s settings, including the API key. By exploiting this flaw the attacker can gain unauthorized control over the plugin configuration, potentially leading to further compromise of the site.", "risk_and_exploitability": "The CVSS score for this issue is 4.3 and the EPSS score is below 1%, indicating a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw via a CSRF attack: an adversary convinces a logged\u2011in administrator to click a crafted link or submit a malicious form, which then updates the plugin settings without further authentication."}}}}, "created": "2025-12-12T08:48:01.814348+00:00", "updated": "2026-04-21T17:30:37.702556+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}