{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14618", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-12T20:52:54.187Z", "datePublished": "2025-12-18T12:22:26.735Z", "dateUpdated": "2026-04-08T16:40:28.444Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:40:28.444Z"}, "affected": [{"vendor": "wpdirectorykit", "product": "Sweet Energy Efficiency", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Sweet Energy Efficiency plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on the 'sweet_energy_efficiency_action' AJAX handler in all versions up to, and including, 1.0.6. This makes it possible for authenticated attackers, with subscriber level access and above, to read, modify, and delete arbitrary graphs."}], "title": "Sweet Energy Efficiency <= 1.0.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Graph Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1ccc8b30-1bdf-4335-85a9-79c6f9a88afc?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3417589/sweet-energy-efficiency"}, {"url": "https://plugins.trac.wordpress.org/changeset/3420909/sweet-energy-efficiency"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Paolo Tresso"}], "timeline": [{"time": "2025-11-19T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-12-10T19:27:46.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-17T23:38:07.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-18T14:35:29.459814Z", "id": "CVE-2025-14618", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-18T14:35:46.445Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14618", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-18T14:35:29.459814Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-18T14:35:41.101Z"}}], "cna": {"title": "Sweet Energy Efficiency <= 1.0.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Graph Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Paolo Tresso"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "wpdirectorykit", "product": "Sweet Energy Efficiency", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-19T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-12-10T19:27:46.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-17T23:38:07.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1ccc8b30-1bdf-4335-85a9-79c6f9a88afc?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3417589/sweet-energy-efficiency"}, {"url": "https://plugins.trac.wordpress.org/changeset/3420909/sweet-energy-efficiency"}], "descriptions": [{"lang": "en", "value": "The Sweet Energy Efficiency plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on the 'sweet_energy_efficiency_action' AJAX handler in all versions up to, and including, 1.0.6. This makes it possible for authenticated attackers, with subscriber level access and above, to read, modify, and delete arbitrary graphs."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:40:28.444Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14618", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:40:28.444Z", "dateReserved": "2025-12-12T20:52:54.187Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-18T12:22:26.735Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Sweet Energy Efficiency plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on the 'sweet_energy_efficiency_action' AJAX handler in all versions up to, and including, 1.0.6. This makes it possible for authenticated attackers, with subscriber level access and above, to read, modify, and delete arbitrary graphs."}], "id": "CVE-2025-14618", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-18T13:15:47.523", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3417589/sweet-energy-efficiency"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3420909/sweet-energy-efficiency"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1ccc8b30-1bdf-4335-85a9-79c6f9a88afc?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T16:04:25.673459+00:00", "value": {"mitigation_remediation": ["Upgrade Sweet Energy Efficiency plugin to the latest certified version that includes the missing capability check.", "If upgrading is not immediately possible, disable the plugin or the sweet_energy_efficiency_action AJAX endpoint to prevent deletion until a patch is available.", "Alternatively, modify the role capabilities using a user role editor plugin to remove the ability of Subscriber level users to invoke graph deletion."], "summary": {"action": "Patch Now", "impact": "Unauthorized graph deletion causing loss of graphical data and integrity"}, "threat_synthesis": {"affected_systems": "This weakness affects the Sweet Energy Efficiency plugin for WordPress, version 1.0.6 and all earlier releases. The plugin is distributed by wpdirectorykit. A site that hosts WordPress with this plugin up to 1.0.6 is therefore vulnerable; the plugin\u2019s documentation and WordPress plugin repository show that the vulnerable AJAX action exists in those releases.", "description_and_impact": "The Sweet Energy Efficiency WordPress plugin contains a flaw in the sweet_energy_efficiency_action AJAX handler. The plugin fails to perform a capability check, allowing any authenticated user with Subscriber role or higher to execute deletion operations on arbitrary graph data. As a result, attackers can read, modify, and delete graph entries, undermining the integrity of the plugin\u2019s data store. This weakness is classified as CWE\u2011862, Missing Authorization.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate impact, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, further implying limited public exploitation. Nevertheless, the flaw can be exploited by any authenticated user who has Subscriber or higher role, making the attack vector internal and reliant on existing account credentials. Once the flaw is abused, data loss or unauthorized modification of graph metadata can occur, directly affecting the integrity of dashboards and reporting."}}}}, "created": "2025-12-19T09:16:08.345948+00:00", "updated": "2026-04-22T16:15:21.787426+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}