{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14462", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-10T15:59:50.953Z", "datePublished": "2025-12-13T04:31:24.121Z", "dateUpdated": "2026-04-08T16:50:25.857Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:50:25.857Z"}, "affected": [{"vendor": "owais4377", "product": "Lucky Draw Contests", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Lucky Draw Contests plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2. This is due to missing or incorrect nonce validation in misc-settings.php. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Lucky Draw Contests <= 4.2 - Cross-Site Request Forgery to Plugin Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/49364a21-775a-4de0-84f8-e62aa1a5fefd?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/lucky-draw/tags/4.2/includes/misc-settings.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "timeline": [{"time": "2025-12-12T16:09:25.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-15T15:43:35.875004Z", "id": "CVE-2025-14462", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T15:48:12.189Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14462", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-15T15:43:35.875004Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T15:43:36.936Z"}}], "cna": {"title": "Lucky Draw Contests <= 4.2 - Cross-Site Request Forgery to Plugin Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "owais4377", "product": "Lucky Draw Contests", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-12T16:09:25.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/49364a21-775a-4de0-84f8-e62aa1a5fefd?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/lucky-draw/tags/4.2/includes/misc-settings.php"}], "descriptions": [{"lang": "en", "value": "The Lucky Draw Contests plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2. This is due to missing or incorrect nonce validation in misc-settings.php. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:50:25.857Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14462", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:50:25.857Z", "dateReserved": "2025-12-10T15:59:50.953Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-13T04:31:24.121Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Lucky Draw Contests plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2. This is due to missing or incorrect nonce validation in misc-settings.php. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-14462", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-13T16:16:50.320", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/lucky-draw/tags/4.2/includes/misc-settings.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/49364a21-775a-4de0-84f8-e62aa1a5fefd?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T17:16:19.709042+00:00", "value": {"mitigation_remediation": ["Upgrade Lucky Draw Contests to the latest version that contains the nonce validation fix.", "Configure a security plugin or web application firewall to enforce nonce checks and blockuthenticated setting changes.", "Ensure that only trusted administrators with multi\u2011factor authentication can access the WordPress admin area."], "summary": {"action": "Patch", "impact": "Cross-Site Request Forgery"}, "threat_synthesis": {"affected_systems": "The affected product is Lucky Draw Contests, currently maintained by the vendor owais4377. All WordPress sites running any version of the plugin up to and including 4.2 are vulnerable. No specific sub\u2011versions are listed, so the entire <=4.2 range is considered at risk.", "description_and_impact": "The Lucky Draw Contests WordPress plugin is vulnerable to a Cross\u2011Site Request Forgery flaw caused by missing or incorrect nonce validation in misc-settings.php. An attacker who can persuade a site administrator to click a crafted link or submit a forged form can update the plugin\u2019s settings without authentication. This can lead to unauthorized configuration changes, potentially disrupting the site\u2019s operation or enabling further malicious activity such as disseminating spam content or exposing sensitive data, depending on the modified settings.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog. The attack path requires an unauthenticated attacker to deceive an authenticated administrator into executing a forged request, typically via a malicious link or embedded form. Once the request is accepted, the attacker can change any configuration that the administrator normally controls."}}}}, "created": "2025-12-14T21:15:06.594717+00:00", "updated": "2026-04-21T17:30:37.683724+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}