{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14465", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-10T16:09:36.722Z", "datePublished": "2026-01-07T09:20:59.749Z", "dateUpdated": "2026-04-08T17:04:00.264Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:00.264Z"}, "affected": [{"vendor": "praveentamil", "product": "Sticky Action Buttons", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Sticky Action Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the sabs_options_page_form_submit() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Sticky Action Buttons <= 1.1 - Cross-Site Request Forgery to Plugin Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/82b243c7-5b58-4765-9083-4660c0b479cc?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/sticky-action-buttons/tags/1.0/sticky-action-buttons.php#L105"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Afnaan"}], "timeline": [{"time": "2026-01-06T20:32:42.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-07T15:07:37.416912Z", "id": "CVE-2025-14465", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T15:07:42.855Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14465", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-07T15:07:37.416912Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T15:07:40.673Z"}}], "cna": {"title": "Sticky Action Buttons <= 1.1 - Cross-Site Request Forgery to Plugin Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Afnaan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "praveentamil", "product": "Sticky Action Buttons", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-06T20:32:42.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/82b243c7-5b58-4765-9083-4660c0b479cc?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/sticky-action-buttons/tags/1.0/sticky-action-buttons.php#L105"}], "descriptions": [{"lang": "en", "value": "The Sticky Action Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the sabs_options_page_form_submit() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:00.264Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14465", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:04:00.264Z", "dateReserved": "2025-12-10T16:09:36.722Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-07T09:20:59.749Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Sticky Action Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the sabs_options_page_form_submit() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El plugin Sticky Action Buttons para WordPress es vulnerable a la falsificaci\u00f3n de petici\u00f3n en sitios cruzados en todas las versiones hasta e incluyendo la 1.1. Esto se debe a la validaci\u00f3n de nonce faltante o incorrecta en la funci\u00f3n sabs_options_page_form_submit(). Esto hace posible que atacantes no autenticados actualicen la configuraci\u00f3n del plugin a trav\u00e9s de una petici\u00f3n falsificada, siempre que puedan enga\u00f1ar a un administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2025-14465", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-07T12:16:55.057", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/sticky-action-buttons/tags/1.0/sticky-action-buttons.php#L105"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/82b243c7-5b58-4765-9083-4660c0b479cc?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T00:03:17.757239+00:00", "value": {"mitigation_remediation": ["Upgrade the Sticky Action Buttons plugin to a version newer than 1.1.", "If an update cannot be applied immediately, disable the plugin until the issue is resolved to prevent unauthorized changes.", "Configure two\u2011factor authentication for all administrative accounts to reduce the likelihood of a social\u2011engineering attack."], "summary": {"action": "Apply Patch", "impact": "Unauthorized plugin settings modification via Cross\u2011Site Request Forgery"}, "threat_synthesis": {"affected_systems": "All installations of the Sticky Action Buttons plugin by praveentamil in WordPress, including every release up to and including version 1.1, are affected. Versions newer than 1.1 have the fix applied and are not vulnerable.", "description_and_impact": "The Sticky Action Buttons plugin for WordPress suffers from a Cross\u2011Site Request Forgery flaw caused by missing or incorrect nonce validation in the sabs_options_page_form_submit() function. This weakness (CWE\u2011352) allows an unauthenticated attacker to forge a request that updates plugin settings when an administrator unknowingly clicks a malicious link. The result is an unauthorized change to the plugin\u2019s configuration, which could lead to misconfiguration, service disruption, or provide a foothold for subsequent exploitation.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate severity level, while the EPSS score of less than 1% suggests that active exploitation is currently unlikely. The vulnerability is not listed in CISA\u2019s KEV catalog. The attack vector is a CSRF scenario that relies on deceiving an administrator into submitting a forged request, so the overall risk remains moderate but the probability of exploitation is very low due to the requirement of social engineering and site\u2011admin interaction."}}}}, "created": "2026-01-08T09:50:02.144207+00:00", "updated": "2026-04-22T00:15:03.763510+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}