{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14904", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-18T18:04:39.071Z", "datePublished": "2026-01-07T06:35:57.026Z", "dateUpdated": "2026-04-08T16:32:23.928Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:32:23.928Z"}, "affected": [{"vendor": "anilankola", "product": "Newsletter Email Subscribe", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Newsletter Email Subscribe plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4. This is due to incorrect nonce validation on the nels_settings_page function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Newsletter Email Subscribe <= 2.4 - Cross-Site Request Forgery to Plugin Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/00dd9a3c-a9f9-4fd2-9c93-0def42cec496?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/newsletter-email-subscribe/tags/2.4/newsletter-email-subscribe.php#L109"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Afnaan"}], "timeline": [{"time": "2026-01-06T18:35:02.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-07T14:52:53.856733Z", "id": "CVE-2025-14904", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T16:14:36.024Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14904", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-07T14:52:53.856733Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T14:52:55.842Z"}}], "cna": {"title": "Newsletter Email Subscribe <= 2.4 - Cross-Site Request Forgery to Plugin Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Afnaan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "anilankola", "product": "Newsletter Email Subscribe", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-06T18:35:02.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/00dd9a3c-a9f9-4fd2-9c93-0def42cec496?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/newsletter-email-subscribe/tags/2.4/newsletter-email-subscribe.php#L109"}], "descriptions": [{"lang": "en", "value": "The Newsletter Email Subscribe plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4. This is due to incorrect nonce validation on the nels_settings_page function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:32:23.928Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14904", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:32:23.928Z", "dateReserved": "2025-12-18T18:04:39.071Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-07T06:35:57.026Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Newsletter Email Subscribe plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4. This is due to incorrect nonce validation on the nels_settings_page function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-14904", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-07T12:16:58.097", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/newsletter-email-subscribe/tags/2.4/newsletter-email-subscribe.php#L109"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/00dd9a3c-a9f9-4fd2-9c93-0def42cec496?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-27T21:49:58.990114+00:00", "value": {"mitigation_remediation": ["Upgrade the Newsletter Email Subscribe plugin to the latest version where CSRF protections are corrected.", "If an upgrade is infeasible, restrict remote access to the plugin settings page or limit it to trusted network segments.", "Encourage administrators to verify the authenticity of any link before clicking and to use additional authentication methods such as two\u2011factor authentication to mitigate social\u2011engineering attempts."], "summary": {"action": "Upgrade Plugin", "impact": "Cross\u2011Site Request Forgery allowing unauthenticated modification of plugin settings"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the Newsletter Email Subscribe plugin version 2.4 or earlier installed from the anilankola vendor are affected.", "description_and_impact": "The Newsletter Email Subscribe plugin for WordPress is vulnerable to Cross\u2011Site Request Forgery in all versions up to 2.4. An error in the nonce validation inside the nels_settings_page function permits an attacker to supply a forged request that changes the plugin\u2019s settings. The primary impact is the ability to alter configuration of the plugin without authentication, which may, based on the description, affect how email notifications are managed and sent.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, and the EPSS score of <1% suggests that active exploitation is currently unlikely. The vulnerability is not listed in CISA KEV. Exploitation requires an attacker to craft a malicious URL and persuade a site administrator to click it, typically through social engineering. Successful exploitation would allow the attacker to modify the plugin\u2019s configuration, potentially changing email behavior and other functionalities controlled by the settings."}}}}, "created": "2026-01-08T09:49:36.063097+00:00", "updated": "2026-04-27T22:00:16.542815+00:00", "vendors": ["anilankola", "anilankola$PRODUCT$newsletter_email_subscribe", "wordpress", "wordpress$PRODUCT$wordpress"]}