{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14447", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-10T13:54:13.521Z", "datePublished": "2025-12-13T04:31:22.942Z", "dateUpdated": "2026-04-08T16:43:42.875Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:43:42.875Z"}, "affected": [{"vendor": "pcantoni", "product": "AnnunciFunebri", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.7.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The AnnunciFunebri Impresa plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the annfu_reset_options() function in all versions up to, and including, 4.7.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all 29 plugin options, effectively resetting the plugin to its default state."}], "title": "AnnunciFunebri Impresa <= 4.7.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Options Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2b9ea2a2-34af-408c-91ee-6d5fd9431529?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/annuncifunebri-onoranza/trunk/functions.inc.php#L845"}, {"url": "https://plugins.trac.wordpress.org/browser/annuncifunebri-onoranza/tags/4.7.0/functions.inc.php#L845"}, {"url": "https://plugins.trac.wordpress.org/changeset/3456966/#file235"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "timeline": [{"time": "2025-12-12T16:04:52.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-15T15:25:10.742477Z", "id": "CVE-2025-14447", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T15:34:25.832Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14447", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-15T15:25:10.742477Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T15:25:11.847Z"}}], "cna": {"title": "AnnunciFunebri Impresa <= 4.7.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Options Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "pcantoni", "product": "AnnunciFunebri", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.7.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-12T16:04:52.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2b9ea2a2-34af-408c-91ee-6d5fd9431529?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/annuncifunebri-onoranza/trunk/functions.inc.php#L845"}, {"url": "https://plugins.trac.wordpress.org/browser/annuncifunebri-onoranza/tags/4.7.0/functions.inc.php#L845"}, {"url": "https://plugins.trac.wordpress.org/changeset/3456966/#file235"}], "descriptions": [{"lang": "en", "value": "The AnnunciFunebri Impresa plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the annfu_reset_options() function in all versions up to, and including, 4.7.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all 29 plugin options, effectively resetting the plugin to its default state."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:43:42.875Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14447", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:43:42.875Z", "dateReserved": "2025-12-10T13:54:13.521Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-13T04:31:22.942Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The AnnunciFunebri Impresa plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the annfu_reset_options() function in all versions up to, and including, 4.7.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all 29 plugin options, effectively resetting the plugin to its default state."}], "id": "CVE-2025-14447", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-12-13T16:16:49.860", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/annuncifunebri-onoranza/tags/4.7.0/functions.inc.php#L845"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/annuncifunebri-onoranza/trunk/functions.inc.php#L845"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3456966/#file235"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2b9ea2a2-34af-408c-91ee-6d5fd9431529?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T16:08:11.656730+00:00", "value": {"mitigation_remediation": ["Update the AnnunciFunebri plugin to a version that includes the missing capability check.", "If an update is not immediately possible, remove or restrict the annfu_reset_options capability from the Subscriber role, or disable the plugin until a fix is available.", "As a temporary workaround, manually recreate the plugin options and limit access to the reset functionality by adjusting user role permissions."], "summary": {"action": "Patch Immediately", "impact": "Unauthorized deletion of plugin options by users with Subscriber level access or higher"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in all releases of the AnnunciFunebri plugin up to and including version 4.7.0. WordPress sites that install any of these versions and grant Subscriber or greater roles to users are affected.", "description_and_impact": "A missing capability check in the annfu_reset_options() function of the AnnunciFunebri Impresa WordPress plugin allows an authenticated user with Subscriber or higher privileges to delete all 29 plugin options, resetting the plugin to its default state. This loss of configuration can disrupt funeral announcement services and affect the integrity of site data.", "risk_and_exploitability": "The CVSS score is 4.3 and the EPSS score is below 1%, indicating a low to moderate severity and a low probability of exploitation. The flaw is not listed in the CISA KEV catalog. Because exploitation requires a valid WordPress account with Subscriber or higher privileges, the threat primarily comes from compromised or malicious internal accounts rather than external attackers."}}}}, "created": "2025-12-14T21:14:55.857665+00:00", "updated": "2026-04-22T16:15:21.789629+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}