{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14390", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-09T20:50:49.004Z", "datePublished": "2025-12-10T09:23:56.285Z", "dateUpdated": "2026-04-08T17:02:44.103Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:02:44.103Z"}, "affected": [{"vendor": "videomerchant", "product": "Video Merchant", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.0.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Video Merchant plugin for WordPress is vulnerable to Cross-Site Request Forgery in version <= 5.0.4. This is due to missing or incorrect nonce validation on the video_merchant_add_video_file() function. This makes it possible for unauthenticated attackers to upload arbitrary files that make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Video Merchant <= 5.0.4 - Cross-Site Request Forgery to Arbitrary File Upload", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7cbe39ae-d10b-432f-afab-682948de2521?source=cve"}, {"url": "https://wordpress.org/plugins/video-merchant"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "cweId": "CWE-434", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ala Arfaoui"}], "timeline": [{"time": "2025-12-09T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-10T16:55:34.922633Z", "id": "CVE-2025-14390", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-10T16:55:45.631Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14390", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-12-10T16:55:34.922633Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-10T16:55:39.739Z"}}], "cna": {"title": "Video Merchant <= 5.0.4 - Cross-Site Request Forgery to Arbitrary File Upload", "credits": [{"lang": "en", "type": "finder", "value": "Ala Arfaoui"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "videomerchant", "product": "Video Merchant", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "5.0.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-09T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7cbe39ae-d10b-432f-afab-682948de2521?source=cve"}, {"url": "https://wordpress.org/plugins/video-merchant"}], "descriptions": [{"lang": "en", "value": "The Video Merchant plugin for WordPress is vulnerable to Cross-Site Request Forgery in version <= 5.0.4. This is due to missing or incorrect nonce validation on the video_merchant_add_video_file() function. This makes it possible for unauthenticated attackers to upload arbitrary files that make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-12-10T09:23:56.285Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14390", "state": "PUBLISHED", "dateUpdated": "2025-12-10T16:55:45.631Z", "dateReserved": "2025-12-09T20:50:49.004Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-10T09:23:56.285Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Video Merchant plugin for WordPress is vulnerable to Cross-Site Request Forgery in version <= 5.0.4. This is due to missing or incorrect nonce validation on the video_merchant_add_video_file() function. This makes it possible for unauthenticated attackers to upload arbitrary files that make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-14390", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-10T10:16:01.823", "references": [{"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/video-merchant"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7cbe39ae-d10b-432f-afab-682948de2521?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T17:34:30.425894+00:00", "value": {"mitigation_remediation": ["Update the Video Merchant plugin to a version newer than 5.0.4, which contains the missing nonce check.", "If an immediate update is not possible, restrict the file\u2011upload capability to trusted users only or temporarily disable it.", "Apply the vendor\u2019s patch for the nonce validation flaw or replace the vulnerable function with a secure implementation.", "Use additional WordPress security measures such as WAF rules or strict CSRF protections to mitigate future similar attacks."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Request Forgery that enables arbitrary file upload leading to remote code execution"}, "threat_synthesis": {"affected_systems": "All installations of the Video Merchant plugin for WordPress with version 5.0.4 or earlier are vulnerable. The flaw exists in the plugin code that handles file uploading, and no fixed version is listed in the supplied data.", "description_and_impact": "The Video Merchant WordPress plugin allows unauthenticated attackers to craft forged requests that bypass nonce validation in the video_merchant_add_video_file() function, permitting them to upload arbitrary files. When such files are executed, an attacker can achieve remote code execution. The weakness is a file\u2011upload flaw (CWE\u2011434). This grants full compromise of affected sites if the uploaded content can be executed by the server.", "risk_and_exploitability": "The CVSS score of 8.8 signals a high\u2011severity flaw. The EPSS value of less than 1% indicates that real\u2011world exploitation is currently rare, likely because the attack requires a user to unknowingly click a malicious link prompting an admin to perform an action. The flaw is not listed in the CISA Known Exploited Vulnerabilities catalog, further suggesting low active exploitation. However, if an attacker can trick an administrator, the impact is severe due to remote code execution."}}}}, "created": "2025-12-10T17:48:47.866113+00:00", "updated": "2026-04-21T17:45:16.480102+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}