{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14162", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-05T20:46:00.918Z", "datePublished": "2025-12-12T03:20:36.568Z", "dateUpdated": "2026-04-08T16:32:49.977Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:32:49.977Z"}, "affected": [{"vendor": "magblogapi", "product": "BMLT WordPress Satellite", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.11.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The BMLT WordPress Plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.11.4. This is due to missing nonce validation on the 'BMLTPlugin_create_option' and 'BMLTPlugin_delete_option ' action. This makes it possible for unauthenticated attackers to create new plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "BMLT WordPress Plugin <= 3.11.4 - Cross-Site Request Forgery to Settings Creation and Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0344f49b-f5f9-4729-ade0-cba6289406de?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/bmlt-wordpress-satellite-plugin/trunk/vendor/bmlt/bmlt-satellite-base-class/bmlt-cms-satellite-plugin.php#L848"}, {"url": "https://plugins.trac.wordpress.org/browser/bmlt-wordpress-satellite-plugin/tags/3.11.4/vendor/bmlt/bmlt-satellite-base-class/bmlt-cms-satellite-plugin.php#L848"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "timeline": [{"time": "2025-12-11T14:28:25.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-15T18:09:05.452061Z", "id": "CVE-2025-14162", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T18:17:37.509Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14162", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-15T18:09:05.452061Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T18:09:07.445Z"}}], "cna": {"title": "BMLT WordPress Plugin <= 3.11.4 - Cross-Site Request Forgery to Settings Creation and Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "magblogapi", "product": "BMLT WordPress Satellite", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.11.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-11T14:28:25.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0344f49b-f5f9-4729-ade0-cba6289406de?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/bmlt-wordpress-satellite-plugin/trunk/vendor/bmlt/bmlt-satellite-base-class/bmlt-cms-satellite-plugin.php#L848"}, {"url": "https://plugins.trac.wordpress.org/browser/bmlt-wordpress-satellite-plugin/tags/3.11.4/vendor/bmlt/bmlt-satellite-base-class/bmlt-cms-satellite-plugin.php#L848"}], "descriptions": [{"lang": "en", "value": "The BMLT WordPress Plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.11.4. This is due to missing nonce validation on the 'BMLTPlugin_create_option' and 'BMLTPlugin_delete_option ' action. This makes it possible for unauthenticated attackers to create new plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:32:49.977Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14162", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:32:49.977Z", "dateReserved": "2025-12-05T20:46:00.918Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-12T03:20:36.568Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The BMLT WordPress Plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.11.4. This is due to missing nonce validation on the 'BMLTPlugin_create_option' and 'BMLTPlugin_delete_option ' action. This makes it possible for unauthenticated attackers to create new plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-14162", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-12T04:15:48.930", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/bmlt-wordpress-satellite-plugin/tags/3.11.4/vendor/bmlt/bmlt-satellite-base-class/bmlt-cms-satellite-plugin.php#L848"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/bmlt-wordpress-satellite-plugin/trunk/vendor/bmlt/bmlt-satellite-base-class/bmlt-cms-satellite-plugin.php#L848"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0344f49b-f5f9-4729-ade0-cba6289406de?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T16:20:09.112752+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest BMLT WordPress Satellite plugin version that incorporates nonce validation for create and delete option actions.", "If an upgrade is not available, temporarily disable the create and delete functions in the plugin or remove the plugin entirely until a patch is applied.", "Enable multi\u2011factor authentication for administrative WordPress accounts and educate administrators to avoid clicking suspicious links from untrusted sources."], "summary": {"action": "Patch", "impact": "Unauthorized creation or deletion of plugin settings via CSRF"}, "threat_synthesis": {"affected_systems": "magblogapi BMLT WordPress Satellite plugin version 3.11.4 and earlier are affected. All installations of this plugin up to and including 3.11.4 are vulnerable.", "description_and_impact": "The vulnerability is a missing nonce check in the BMLT WordPress Satellite plugin's create and delete option actions. An attacker can forge a request that causes an authenticated site administrator to execute a request that creates or deletes plugin configuration values. This allows unauthenticated attackers to alter the plugin\u2019s behavior, potentially leading to defacement, loss of functionality, or a sub\u2011optimal user experience. The weakness is identified as a Cross\u2011Site Request Forgery (CWE\u2011352).", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, and the EPSS score of < 1% shows a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires that an attacker craft a forged request and obtain an administrator\u2019s logged\u2011in session cookie, typically by tricking the administrator into clicking a malicious link. Because the attack relies on user interaction, the likelihood is modest, but the impact of changing or deleting settings could disrupt site operations or downgrade security, making remediation advisable."}}}}, "created": "2025-12-12T08:48:14.359688+00:00", "updated": "2026-04-22T16:30:22.137952+00:00", "vendors": ["magblogapi", "magblogapi$PRODUCT$bmlt_wordpress_plugin", "wordpress", "wordpress$PRODUCT$wordpress"]}