{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14545", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2025-12-11T15:36:38.497Z", "datePublished": "2026-04-10T06:00:13.825Z", "dateUpdated": "2026-04-10T18:37:24.983Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-10T06:00:13.825Z"}, "title": "YML for Yandex Market < 5.0.26 - Shop Manager+ RCE via Feed Generation", "problemTypes": [{"descriptions": [{"description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "YML for Yandex Market", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThan": "5.0.26"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The YML for Yandex Market WordPress plugin before 5.0.26 is vulnerable to Remote Code Execution via the feed generation process."}], "references": [{"url": "https://wpscan.com/vulnerability/9bb1a4ca-976c-461d-82de-8a3b04a56fbc/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "Alex Tselevich (nos3curity)", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T18:35:43.283221Z", "id": "CVE-2025-14545", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T18:37:24.983Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-14545", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T18:35:43.283221Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T18:36:40.515Z"}}], "cna": {"title": "YML for Yandex Market < 5.0.26 - Shop Manager+ RCE via Feed Generation", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Alex Tselevich (nos3curity)"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "YML for Yandex Market", "versions": [{"status": "affected", "version": "0", "lessThan": "5.0.26", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://wpscan.com/vulnerability/9bb1a4ca-976c-461d-82de-8a3b04a56fbc/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The YML for Yandex Market WordPress plugin before 5.0.26 is vulnerable to Remote Code Execution via the feed generation process."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-10T06:00:13.825Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14545", "state": "PUBLISHED", "dateUpdated": "2026-04-10T18:37:24.983Z", "dateReserved": "2025-12-11T15:36:38.497Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2026-04-10T06:00:13.825Z", "assignerShortName": "WPScan"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The YML for Yandex Market WordPress plugin before 5.0.26 is vulnerable to Remote Code Execution via the feed generation process."}], "id": "CVE-2025-14545", "lastModified": "2026-04-15T15:05:47.827", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-10T07:16:19.607", "references": [{"source": "contact@wpscan.com", "url": "https://wpscan.com/vulnerability/9bb1a4ca-976c-461d-82de-8a3b04a56fbc/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Deferred"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.0.26)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "YML for Yandex Market", "source": "cna", "vendor": "Unknown"}, "product": "yml_for_yandex_market", "vendor": "icopydoc"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-13T15:20:53.708794+00:00", "value": {"mitigation_remediation": ["Verify the plugin version on all WordPress sites.", "Update the YML for Yandex Market plugin to version 5.0.26 or later.", "If an update is not yet available, disable or remove the plugin until a patch is released.", "Restrict access to the feed generation endpoint to trusted administrators.", "Monitor security advisories and the WPScan database for new updates."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "WordPress installations that use the YML for Yandex Market plugin, specifically any deployment running a version older than 5.0.26. The vendor is currently unknown, but affected sites are those that have this plugin installed and are serving market feeds.", "description_and_impact": "The vulnerability in the YML for Yandex Market WordPress plugin allows an attacker to trigger arbitrary code execution during the feed generation process. By exploiting this flaw, adversaries can run any commands on the underlying server, potentially compromising confidentiality, integrity, and availability of the entire website. The severity score of 6.5 indicates a moderate risk if the vulnerability is leveraged.", "risk_and_exploitability": "With a CVSS score of 6.5 and an EPSS below 1%, the likelihood of successful exploitation is considered low at present, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the attack vector is remotely reachable through the web interface that initiates feed creation. Because the exploit requires no prior local access, attackers can target the plugin from anywhere with internet access."}}}}, "created": "2026-04-10T08:35:36.389492+00:00", "updated": "2026-04-14T16:36:37.653683+00:00", "vendors": ["icopydoc", "icopydoc$PRODUCT$yml_for_yandex_market", "wordpress", "wordpress$PRODUCT$wordpress"], "weaknesses": ["CWE-77"]}