{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14852", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-17T20:26:26.949Z", "datePublished": "2026-02-14T06:42:30.914Z", "dateUpdated": "2026-04-08T17:11:20.787Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:11:20.787Z"}, "affected": [{"vendor": "antevenio", "product": "MDirector Newsletter WordPress Plugin", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.5.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The MDirector Newsletter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.8. This is due to missing nonce verification on the mdirectorNewsletterSave function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "MDirector Newsletter <= 4.5.8 - Cross-Site Request Forgery to Plugin Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9be389b4-0f76-4f58-806e-dfba531934ea?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/mdirector-newsletter/tags/4.5.8/admin/class-mdirector-newsletter-admin.php#L937"}, {"url": "https://plugins.trac.wordpress.org/browser/mdirector-newsletter/tags/4.5.8/admin/class-mdirector-newsletter-admin.php#L170"}, {"url": "https://plugins.trac.wordpress.org/changeset/3463535/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Afnaan"}], "timeline": [{"time": "2026-02-13T18:29:09.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-17T15:36:41.674592Z", "id": "CVE-2025-14852", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T15:46:46.455Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14852", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-17T15:36:41.674592Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T15:36:42.462Z"}}], "cna": {"title": "MDirector Newsletter <= 4.5.8 - Cross-Site Request Forgery to Plugin Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Afnaan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "antevenio", "product": "MDirector Newsletter WordPress Plugin", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.5.8"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-13T18:29:09.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9be389b4-0f76-4f58-806e-dfba531934ea?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/mdirector-newsletter/tags/4.5.8/admin/class-mdirector-newsletter-admin.php#L937"}, {"url": "https://plugins.trac.wordpress.org/browser/mdirector-newsletter/tags/4.5.8/admin/class-mdirector-newsletter-admin.php#L170"}, {"url": "https://plugins.trac.wordpress.org/changeset/3463535/"}], "descriptions": [{"lang": "en", "value": "The MDirector Newsletter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.8. This is due to missing nonce verification on the mdirectorNewsletterSave function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:11:20.787Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14852", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:11:20.787Z", "dateReserved": "2025-12-17T20:26:26.949Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-14T06:42:30.914Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The MDirector Newsletter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.8. This is due to missing nonce verification on the mdirectorNewsletterSave function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El plugin MDirector Newsletter para WordPress es vulnerable a la falsificaci\u00f3n de petici\u00f3n en sitios cruzados en todas las versiones hasta la 4.5.8, inclusive. Esto se debe a la falta de verificaci\u00f3n de nonce en la funci\u00f3n mdirectorNewsletterSave. Esto hace posible que atacantes no autenticados actualicen la configuraci\u00f3n del plugin a trav\u00e9s de una petici\u00f3n falsificada, siempre que puedan enga\u00f1ar a un administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2025-14852", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-14T07:16:06.433", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mdirector-newsletter/tags/4.5.8/admin/class-mdirector-newsletter-admin.php#L170"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mdirector-newsletter/tags/4.5.8/admin/class-mdirector-newsletter-admin.php#L937"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3463535/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9be389b4-0f76-4f58-806e-dfba531934ea?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.5.8]"}}], "product": "mdirector_newsletter", "vendor": "antevenio"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-21T16:01:03.511870+00:00", "value": {"mitigation_remediation": ["Upgrade the MDirector Newsletter plugin to the latest version (4.5.9 or newer).", "If an upgrade is not immediately possible, limit access to the plugin\u2019s settings page to a narrow set of trusted administrator accounts and monitor for unexpected changes.", "Deploy a WordPress security plugin that adds CSRF protection to administrative actions, or otherwise enforce a valid nonce on all plugin\u2011related POST requests."], "summary": {"action": "Update Plugin", "impact": "Cross\u2011Site Request Forgery enabling unauthorized plugin configuration changes"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the MDirector Newsletter WordPress plugin developed by antevenio. All versions from the initial release through 4.5.8 are impacted. Neither the 4.5.9 release nor any newer versions contain the fix.", "description_and_impact": "The MDirector Newsletter WordPress plugin contains a Cross\u2011Site Request Forgery vulnerability in all releases up to and including 4.5.8. The flaw arises from the mdirectorNewsletterSave function lacking a nonce check, which allows an unauthenticated attacker to forge a request that changes the plugin\u2019s settings when a site administrator unknowingly submits the request. Altering these settings can redirect email campaigns, enable spam, or affect other administrative functions, compromising the integrity of the WordPress site.", "risk_and_exploitability": "With a CVSS score of 4.3 the vulnerability is considered moderate; the EPSS score of less than 1\u202f% indicates a low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a social\u2011engineering scenario in which an attacker tricks a site administrator into clicking a crafted link that submits the forged request using the victim\u2019s authenticated session."}}}}, "created": "2026-02-16T12:02:12.973082+00:00", "updated": "2026-04-21T16:15:40.491158+00:00", "vendors": ["antevenio", "antevenio$PRODUCT$mdirector_newsletter", "wordpress", "wordpress$PRODUCT$wordpress"]}