{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14846", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-17T18:55:54.282Z", "datePublished": "2026-01-14T06:40:07.548Z", "dateUpdated": "2026-04-08T17:19:00.415Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:19:00.415Z"}, "affected": [{"vendor": "socialchampio", "product": "Auto Post to Social Media from Social Champ", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.3.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The SocialChamp with WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.5. This is due to missing nonce validation on the wpsc_settings_tab_menu function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "SocialChamp with WordPress <= 1.3.5 - Cross-Site Request Forgery to Plugin Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bdbb660b-19aa-4c68-865c-0a51b85d1e5a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/auto-post-to-social-media-wp-to-social-champ/tags/1.3.3/admin/class-wp-socialchamp-settings-init.php#L157"}, {"url": "https://plugins.trac.wordpress.org/changeset/3467359/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Afnaan"}], "timeline": [{"time": "2026-01-13T17:28:56.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-14T20:26:20.144856Z", "id": "CVE-2025-14846", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-14T20:28:15.355Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14846", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-14T20:26:20.144856Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-14T20:27:57.743Z"}}], "cna": {"title": "SocialChamp with WordPress <= 1.3.5 - Cross-Site Request Forgery to Plugin Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Afnaan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "socialchampio", "product": "Auto Post to Social Media from Social Champ", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.3.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-13T17:28:56.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bdbb660b-19aa-4c68-865c-0a51b85d1e5a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/auto-post-to-social-media-wp-to-social-champ/tags/1.3.3/admin/class-wp-socialchamp-settings-init.php#L157"}, {"url": "https://plugins.trac.wordpress.org/changeset/3467359/"}], "descriptions": [{"lang": "en", "value": "The SocialChamp with WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.5. This is due to missing nonce validation on the wpsc_settings_tab_menu function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:19:00.415Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14846", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:19:00.415Z", "dateReserved": "2025-12-17T18:55:54.282Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-14T06:40:07.548Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The SocialChamp with WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.5. This is due to missing nonce validation on the wpsc_settings_tab_menu function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El plugin SocialChamp with WordPress para WordPress es vulnerable a la falsificaci\u00f3n de petici\u00f3n en sitios cruzados en todas las versiones hasta la 1.3.3, inclusive. Esto se debe a la falta de validaci\u00f3n de nonce en la funci\u00f3n wpsc_settings_tab_menu. Esto hace posible que atacantes no autenticados modifiquen la configuraci\u00f3n del plugin a trav\u00e9s de una petici\u00f3n falsificada, siempre que puedan enga\u00f1ar a un administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2025-14846", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-14T07:16:13.680", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/auto-post-to-social-media-wp-to-social-champ/tags/1.3.3/admin/class-wp-socialchamp-settings-init.php#L157"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3467359/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bdbb660b-19aa-4c68-865c-0a51b85d1e5a?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T00:25:47.273256+00:00", "value": {"mitigation_remediation": ["Upgrade the SocialChamp plugin to the latest version, which adds proper nonce validation to the settings update handler.", "If an update is not immediately available, temporarily disable or uninstall the plugin until a patch is released to prevent accidental configuration changes.", "Configure a web\u2011application firewall or similar filtering rule to reject POST requests to the plugin\u2019s settings endpoints that lack the expected nonce value, ensuring CSRF protection is enforced at the application layer."], "summary": {"action": "Update Plugin", "impact": "Unauthorized Configuration Modification via Cross\u2011Site Request Forgery"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the SocialChamp Auto Post to Social Media from Social Champ plugin, all releases up to and including version 1.3.5. End\u2011users running any WordPress version with the plugin installed are potentially impacted if they are administrators or other privileged roles.", "description_and_impact": "The SocialChamp plugin for WordPress contains a missing nonce check in the wpsc_settings_tab_menu function, enabling attackers to forge authenticated requests. A forged request can alter plugin settings on a site where an administrator is logged in, potentially redirecting social media postings or changing connected accounts. This flaw violates integrity by allowing unauthenticated users to modify configuration controls. The impact is limited to the plugin\u2019s functionality and could result in unintended content posts or misconfigured social media feeds.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate severity. The EPSS score of < 1% reflects a very low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. Exploitation requires social\u2011engineering: an attacker must convince an authenticated administrator to click a malicious link that submits a forged POST request containing parameters to the plugin\u2019s settings endpoint. No additional access or privilege escalation is required beyond the victim\u2019s authenticated session."}}}}, "created": "2026-01-15T08:03:52.324087+00:00", "updated": "2026-04-21T00:30:22.975324+00:00", "vendors": ["socialchampio", "socialchampio$PRODUCT$socialchamp_with_wordpress", "wordpress", "wordpress$PRODUCT$wordpress"]}