{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14357", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-09T16:42:08.562Z", "datePublished": "2026-02-19T04:36:24.395Z", "dateUpdated": "2026-04-08T17:23:38.813Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:23:38.813Z"}, "affected": [{"vendor": "misbahwp", "product": "Mega Store Woocommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Mega Store Woocommerce theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the setup_widgets() function in core/includes/importer/whizzie.php in all versions up to, and including, 5.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary pages and modify site settings."}], "title": "Mega Store Woocommerce <= 5.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Page Creation and Settings Change", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cbe3ce13-ce92-423f-b190-1b2c3dc74b82?source=cve"}, {"url": "https://themes.trac.wordpress.org/browser/mega-store-woocommerce/trunk/core/includes/importer/whizzie.php#L668"}, {"url": "https://themes.trac.wordpress.org/browser/mega-store-woocommerce/5.6/core/includes/importer/whizzie.php#L668"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "John Peace"}], "timeline": [{"time": "2026-02-18T15:50:48.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T21:15:27.620086Z", "id": "CVE-2025-14357", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T21:18:31.802Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14357", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T21:15:27.620086Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T21:18:26.139Z"}}], "cna": {"title": "Mega Store Woocommerce <= 5.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Page Creation and Settings Change", "credits": [{"lang": "en", "type": "finder", "value": "John Peace"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "misbahwp", "product": "Mega Store Woocommerce", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.9"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-18T15:50:48.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cbe3ce13-ce92-423f-b190-1b2c3dc74b82?source=cve"}, {"url": "https://themes.trac.wordpress.org/browser/mega-store-woocommerce/trunk/core/includes/importer/whizzie.php#L668"}, {"url": "https://themes.trac.wordpress.org/browser/mega-store-woocommerce/5.6/core/includes/importer/whizzie.php#L668"}], "descriptions": [{"lang": "en", "value": "The Mega Store Woocommerce theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the setup_widgets() function in core/includes/importer/whizzie.php in all versions up to, and including, 5.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary pages and modify site settings."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:23:38.813Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14357", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:23:38.813Z", "dateReserved": "2025-12-09T16:42:08.562Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-19T04:36:24.395Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Mega Store Woocommerce theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the setup_widgets() function in core/includes/importer/whizzie.php in all versions up to, and including, 5.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary pages and modify site settings."}, {"lang": "es", "value": "El tema Mega Store Woocommerce para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a una verificaci\u00f3n de capacidad faltante en la funci\u00f3n setup_widgets() en core/includes/importer/whizzie.php en todas las versiones hasta la 5.9, inclusive. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, creen p\u00e1ginas arbitrarias y modifiquen la configuraci\u00f3n del sitio."}], "id": "CVE-2025-14357", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-19T07:17:35.090", "references": [{"source": "security@wordfence.com", "url": "https://themes.trac.wordpress.org/browser/mega-store-woocommerce/5.6/core/includes/importer/whizzie.php#L668"}, {"source": "security@wordfence.com", "url": "https://themes.trac.wordpress.org/browser/mega-store-woocommerce/trunk/core/includes/importer/whizzie.php#L668"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cbe3ce13-ce92-423f-b190-1b2c3dc74b82?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.9]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Mega Store Woocommerce", "source": "cna", "vendor": "misbahwp"}, "product": "mega_store_woocommerce", "vendor": "misbahwp"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 90.0, "confidence_source": "inferred", "scores": [{"score": 90.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-20T20:50:11.477732+00:00", "value": {"mitigation_remediation": ["Upgrade the Mega Store Woocommerce theme to version 5.10 or later, which fixes the missing capability check", "Revoke or downgrade the capability of Subscriber users to prevent page creation and settings modification, or convert legitimate Subscribers to a lower role if possible", "Implement a server\u2011side wrapper or custom plugin that enforces an explicit capability check before executing setup_widgets(), thereby restoring the intended authorization control"], "summary": {"action": "Apply Patch", "impact": "Unauthorized modification of site content and settings by authenticated subscribers"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed the Mega Store Woocommerce theme, versions 5.0 through 5.9 inclusive, are affected. Administrators using these versions are at risk if they have users with Subscriber or higher roles.", "description_and_impact": "The Mega Store Woocommerce theme contains a missing capability check in the setup_widgets() function that allows users with Subscriber-level or higher access to create arbitrary pages and modify site settings. This flaw directly violates authorization controls (CWE\u2011862) and enables an attacker who possesses at least Subscriber privileges to change content that normally requires higher administrative rights.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity. The EPSS score of less than 1% suggests that active exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires only authenticated access with a Subscriber role, and the attack path is essentially the normal import or widget setup flow exposed by the theme. Because the flaw bypasses a capability check, an attacker can use existing permissions to arbitrarily alter site content and settings, potentially impacting confidentiality and integrity of the site\u2019s data."}}}}, "created": "2026-02-19T10:06:53.004419+00:00", "updated": "2026-04-20T21:00:12.955386+00:00", "vendors": ["misbahwp", "misbahwp$PRODUCT$mega_store_woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}