{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14734", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-15T18:15:19.777Z", "datePublished": "2025-12-20T03:20:22.035Z", "dateUpdated": "2026-04-08T17:03:45.715Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:03:45.715Z"}, "affected": [{"vendor": "nestornoe", "product": "Amazon affiliate lite Plugin", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Amazon affiliate lite Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the 'ADAL_settings_page' function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Amazon affiliate lite Plugin <= 1.0.0 - Cross-Site Request Forgery to Plugin Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8175ff00-e588-46cf-a743-9c4d4717657a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/afiliados-de-amazon-lite/trunk/ADAL-core.php?rev=1952216#L99"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Afnaan"}], "timeline": [{"time": "2025-12-19T15:05:22.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-22T16:15:41.692911Z", "id": "CVE-2025-14734", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-22T16:15:51.282Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14734", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-22T16:15:41.692911Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-22T16:15:47.586Z"}}], "cna": {"title": "Amazon affiliate lite Plugin <= 1.0.0 - Cross-Site Request Forgery to Plugin Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Afnaan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L"}}], "affected": [{"vendor": "nestornoe", "product": "Amazon affiliate lite Plugin", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.0.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-19T15:05:22.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8175ff00-e588-46cf-a743-9c4d4717657a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/afiliados-de-amazon-lite/trunk/ADAL-core.php?rev=1952216#L99"}], "descriptions": [{"lang": "en", "value": "The Amazon affiliate lite Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the 'ADAL_settings_page' function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-12-20T03:20:22.035Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14734", "state": "PUBLISHED", "dateUpdated": "2025-12-22T16:15:51.282Z", "dateReserved": "2025-12-15T18:15:19.777Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-20T03:20:22.035Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Amazon affiliate lite Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the 'ADAL_settings_page' function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-14734", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-20T04:16:08.457", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/afiliados-de-amazon-lite/trunk/ADAL-core.php?rev=1952216#L99"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8175ff00-e588-46cf-a743-9c4d4717657a?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T00:09:45.815404+00:00", "value": {"mitigation_remediation": ["Upgrade the Amazon affiliate lite Plugin to a version newer than 1.0.0 that implements proper nonce verification in the settings update function.", "Disable or uninstall the Amazon affiliate lite Plugin if the site no longer requires this functionality, ensuring no current or legacy configuration can be tampered with.", "Enforce strict privileged account controls: limit administrative privileges to trusted users and use multi\u2011factor authentication to reduce the risk that an authenticated admin will unknowingly submit a forged request."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Request Forgery enabling unauthorized plugin settings modifications"}, "threat_synthesis": {"affected_systems": "WordPress sites running the Amazon affiliate lite Plugin version 1.0.0 or earlier are vulnerable. The vendor is nestornoe, and the product is the Amazon affiliate lite Plugin. No specific product line or OS is mentioned; the issue is confined to the plugin code under the indicated versions.", "description_and_impact": "The Amazon affiliate lite Plugin for WordPress has a missing or incorrectly implemented nonce check in the ADAL_settings_page function, creating a CSRF flaw. An attacker can send a forged request that an authenticated site administrator unknowingly submits, allowing the attacker to alter the plugin\u2019s configuration. This impacts the integrity of the site\u2019s affiliate settings, potentially redirecting traffic or changing commission parameters. The elevation of privileges is limited to plugin configuration, but changes can affect revenue and user experience.", "risk_and_exploitability": "With a CVSS score of 5.4, the vulnerability is considered moderate. The EPSS < 1% suggests a low probability of real world exploitation, and it is not listed in CISA\u2019s KEV catalog. The likely attack vector is a phishing or social\u2011engineering attack that lures a site administrator to click a malicious link, as no authentication is required. The flaw requires a user with administrative privileges to be tricked into executing a request. Consequently, the risk is limited to sites that still run the vulnerable plugin version and have active admins who could be compromised."}}}}, "created": "2025-12-21T21:12:30.662963+00:00", "updated": "2026-04-22T00:15:03.772495+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}