{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14853", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-17T20:29:58.227Z", "datePublished": "2026-01-16T06:43:21.401Z", "dateUpdated": "2026-04-08T17:09:46.375Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:09:46.375Z"}, "affected": [{"vendor": "smings", "product": "LEAV Last Email Address Validator", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.7.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The LEAV Last Email Address Validator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions <= 1.7.1. This is due to missing or incorrect nonce validation on the display_settings_page function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "LEAV Last Email Address Validator <= 1.7.1 - Cross-Site Request Forgery to Plugin Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/93db56df-d21b-4788-84b2-7b28641b5a7a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/last-email-address-validator/trunk/includes/leav-settings-page.inc.php#L66"}, {"url": "https://plugins.trac.wordpress.org/browser/last-email-address-validator/trunk/includes/leav-settings-page.inc.php#L2183"}, {"url": "https://plugins.trac.wordpress.org/browser/last-email-address-validator/trunk/includes/leav-settings-page.inc.php#L257"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Afnaan"}], "timeline": [{"time": "2026-01-15T18:32:15.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-16T13:56:42.519207Z", "id": "CVE-2025-14853", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T13:56:51.236Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14853", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-16T13:56:42.519207Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T13:56:47.350Z"}}], "cna": {"title": "LEAV Last Email Address Validator <= 1.7.1 - Cross-Site Request Forgery to Plugin Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Afnaan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "smings", "product": "LEAV Last Email Address Validator", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.7.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-15T18:32:15.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/93db56df-d21b-4788-84b2-7b28641b5a7a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/last-email-address-validator/trunk/includes/leav-settings-page.inc.php#L66"}, {"url": "https://plugins.trac.wordpress.org/browser/last-email-address-validator/trunk/includes/leav-settings-page.inc.php#L2183"}, {"url": "https://plugins.trac.wordpress.org/browser/last-email-address-validator/trunk/includes/leav-settings-page.inc.php#L257"}], "descriptions": [{"lang": "en", "value": "The LEAV Last Email Address Validator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions <= 1.7.1. This is due to missing or incorrect nonce validation on the display_settings_page function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:09:46.375Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14853", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:09:46.375Z", "dateReserved": "2025-12-17T20:29:58.227Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-16T06:43:21.401Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The LEAV Last Email Address Validator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions <= 1.7.1. This is due to missing or incorrect nonce validation on the display_settings_page function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El plugin LEAV Last Email Address Validator para WordPress es vulnerable a la falsificaci\u00f3n de petici\u00f3n en sitios cruzados en versiones &lt;= 1.7.1. Esto se debe a la validaci\u00f3n de nonce faltante o incorrecta en la funci\u00f3n display_settings_page. Esto hace posible que atacantes no autenticados modifiquen la configuraci\u00f3n del plugin a trav\u00e9s de una petici\u00f3n falsificada, siempre que puedan enga\u00f1ar a un administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2025-14853", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-16T07:15:56.063", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/last-email-address-validator/trunk/includes/leav-settings-page.inc.php#L2183"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/last-email-address-validator/trunk/includes/leav-settings-page.inc.php#L257"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/last-email-address-validator/trunk/includes/leav-settings-page.inc.php#L66"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/93db56df-d21b-4788-84b2-7b28641b5a7a?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T16:21:19.973454+00:00", "value": {"mitigation_remediation": ["Update LEAV Last Email Address Validator to the latest released version (1.7.2 or later) where nonce validation is corrected.", "If an update is not possible, disable or remove the plugin to eliminate the vulnerable surface.", "Enforce robust CSRF protection for all admin pages and ensure administrators verify external links before clicking to reduce the chance of a crafted request being executed."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Request Forgery permitting unauthorized plugin configuration changes"}, "threat_synthesis": {"affected_systems": "This vulnerability affects the LEAV Last Email Address Validator plugin, version 1.7.1 and earlier, used on WordPress installations. If the plugin is present and enabled, any site where administrators log in may be exposed.", "description_and_impact": "The LEAV Last Email Address Validator plugin for WordPress contains a flaw in the display_settings_page function where nonce verification is missing or incorrect. This defect enables a Cross\u2011Site Request Forgery attack, allowing an unauthenticated user to trick an administrator into submitting a forged request that changes plugin settings. The resulting compromise can alter configuration parameters without authorization, potentially impacting site behavior and user data handling.", "risk_and_exploitability": "The CVSS score is 4.3, indicating moderate impact. The EPSS score is below 1%, suggesting a low likelihood of exploitation in current data. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is that an unauthenticated attacker sends a crafted link to a site administrator, who upon clicking would trigger the CSRF and update settings; no authentication or authorization checks are present, making the exploit straightforward when an admin is lured."}}}}, "created": "2026-01-16T13:41:37.484338+00:00", "updated": "2026-04-21T16:30:40.676790+00:00", "vendors": ["smings", "smings$PRODUCT$leav_last_email_address_validator", "wordpress", "wordpress$PRODUCT$wordpress"]}