{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14903", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-18T18:00:09.232Z", "datePublished": "2026-01-24T07:26:40.557Z", "dateUpdated": "2026-04-08T16:37:41.438Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:41.438Z"}, "affected": [{"vendor": "stefanristic", "product": "Simple Crypto Shortcodes", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Simple Crypto Shortcodes plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.2. This is due to missing nonce validation on the scs_backend function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Simple Crypto Shortcodes <= 1.0.2 - Cross-Site Request Forgery to Plugin Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/18bcd2ad-1989-4e2b-b82e-fddc4201c5a6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-crypto-shortcodes/tags/1.0.2/simple_crypto_shortcodes.php#L46"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-crypto-shortcodes/tags/1.0.2/simple_crypto_shortcodes.php#L54"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Afnaan"}], "timeline": [{"time": "2026-01-23T19:16:43.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-26T15:29:10.127091Z", "id": "CVE-2025-14903", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T15:45:49.695Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14903", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-26T15:29:10.127091Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T15:29:37.123Z"}}], "cna": {"title": "Simple Crypto Shortcodes <= 1.0.2 - Cross-Site Request Forgery to Plugin Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Afnaan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "stefanristic", "product": "Simple Crypto Shortcodes", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-23T19:16:43.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/18bcd2ad-1989-4e2b-b82e-fddc4201c5a6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-crypto-shortcodes/tags/1.0.2/simple_crypto_shortcodes.php#L46"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-crypto-shortcodes/tags/1.0.2/simple_crypto_shortcodes.php#L54"}], "descriptions": [{"lang": "en", "value": "The Simple Crypto Shortcodes plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.2. This is due to missing nonce validation on the scs_backend function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:41.438Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14903", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:37:41.438Z", "dateReserved": "2025-12-18T18:00:09.232Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-24T07:26:40.557Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Simple Crypto Shortcodes plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.2. This is due to missing nonce validation on the scs_backend function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El plugin Simple Crypto Shortcodes para WordPress es vulnerable a falsificaci\u00f3n de petici\u00f3n en sitios cruzados en versiones hasta la 1.0.2, inclusive. Esto se debe a la falta de validaci\u00f3n de nonce en la funci\u00f3n scs_backend. Esto hace posible que atacantes no autenticados actualicen la configuraci\u00f3n del plugin a trav\u00e9s de una petici\u00f3n falsificada, siempre que puedan enga\u00f1ar a un administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2025-14903", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-24T08:16:06.243", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/simple-crypto-shortcodes/tags/1.0.2/simple_crypto_shortcodes.php#L46"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/simple-crypto-shortcodes/tags/1.0.2/simple_crypto_shortcodes.php#L54"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/18bcd2ad-1989-4e2b-b82e-fddc4201c5a6?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T20:07:21.668176+00:00", "value": {"mitigation_remediation": ["Upgrade Simple Crypto Shortcodes to any version newer than 1.0.2 that includes proper nonce validation.", "If an update is not immediately available, configure the web server or the plugin\u2019s own settings to block external access to the scs_backend endpoint, effectively disabling the vulnerable route.", "Deploy a site\u2011wide anti\u2011CSRF or security plugin that adds additional nonce checks to critical admin routes, and enable multi\u2011factor authentication for all administrator accounts to reduce the risk of social\u2011engineering attacks."], "summary": {"action": "Patch Update", "impact": "Unauthenticated Cross\u2011Site Request Forgery enabling arbitrary plugin settings modification"}, "threat_synthesis": {"affected_systems": "WordPress sites running Simple Crypto Shortcodes versions up to and including 1.0.2 are affected. The vulnerability only impacts administrators who can submit the forged request, and it does not affect non\u2011administrator users directly.", "description_and_impact": "The Simple Crypto Shortcodes plugin contains an omission of nonce verification in its scs_backend function, which allows malicious actors to craft a request that a logged\u2011in administrator can unknowingly trigger. This enables the attacker to update the plugin\u2019s settings without providing any credentials, thereby gaining control over how the shortcode behaves on the site. The underlying weakness is a classic CSRF flaw (CWE\u2011352).", "risk_and_exploitability": "The vulnerability carries a CVSS score of 4.3, indicating moderate severity, and an EPSS score of less than 1%, suggesting a low probability of exploitation at present. It is not listed in the CISA KEV catalog. Exploitation requires the attacker to trick an administrator into clicking a link or submitting a form that targets the scs_backend endpoint. Because the flaw is a CSRF attack, it relies on user interaction and is not automatically exploitable from an external source."}}}}, "created": "2026-01-26T11:48:39.989044+00:00", "updated": "2026-04-22T20:15:20.529312+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}