{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14907", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-18T18:11:25.932Z", "datePublished": "2026-01-24T08:26:33.683Z", "dateUpdated": "2026-04-08T16:51:03.038Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:51:03.038Z"}, "affected": [{"vendor": "hallsofmontezuma", "product": "Moderate Selected Posts", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Moderate Selected Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing nonce verification on the msp_admin_page() function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Moderate Selected Posts <= 1.4 - Cross-Site Request Forgery to Plugin Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4bc23291-1b73-4e92-83ba-0c7f455ac126?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/moderate-selected-posts/tags/1.4/inc/admin.php#L71"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Afnaan"}], "timeline": [{"time": "2026-01-23T19:31:04.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-26T18:05:11.213440Z", "id": "CVE-2025-14907", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T18:05:17.950Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14907", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-26T18:05:11.213440Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T18:05:14.720Z"}}], "cna": {"title": "Moderate Selected Posts <= 1.4 - Cross-Site Request Forgery to Plugin Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Afnaan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "hallsofmontezuma", "product": "Moderate Selected Posts", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-23T19:31:04.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4bc23291-1b73-4e92-83ba-0c7f455ac126?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/moderate-selected-posts/tags/1.4/inc/admin.php#L71"}], "descriptions": [{"lang": "en", "value": "The Moderate Selected Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing nonce verification on the msp_admin_page() function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:51:03.038Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14907", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:51:03.038Z", "dateReserved": "2025-12-18T18:11:25.932Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-24T08:26:33.683Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Moderate Selected Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing nonce verification on the msp_admin_page() function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El plugin Moderate Selected Posts para WordPress es vulnerable a la falsificaci\u00f3n de petici\u00f3n en sitios cruzados en todas las versiones hasta la 1.4, inclusive. Esto se debe a la falta de verificaci\u00f3n de nonce en la funci\u00f3n msp_admin_page(). Esto hace posible que atacantes no autenticados modifiquen la configuraci\u00f3n del plugin a trav\u00e9s de una petici\u00f3n falsificada, siempre que puedan enga\u00f1ar a un administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2025-14907", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-24T09:15:52.220", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/moderate-selected-posts/tags/1.4/inc/admin.php#L71"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4bc23291-1b73-4e92-83ba-0c7f455ac126?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T16:10:50.780399+00:00", "value": {"mitigation_remediation": ["Update the Moderate Selected Posts plugin to the latest version that includes the CSRF fix.", "If an upgrade is not immediately possible, restrict unauthenticated access to the plugin\u2019s admin endpoints by performing a role check or disabling the admin page entirely.", "Add a generic nonce verification step to the msp_admin_page() function if the source code can be modified, ensuring that only actions signed with a valid nonce are processed."], "summary": {"action": "Patch", "impact": "Cross\u2011Site Request Forgery resulting in unauthorized plugin settings modification"}, "threat_synthesis": {"affected_systems": "WordPress sites that use the Moderate Selected Posts plugin version 1.4 or older, released by hallsofmontezuma. The vulnerability is present in all versions up to and including 1.4, regardless of the WordPress core version.", "description_and_impact": "The Moderate Selected Posts WordPress plugin contains a Cross\u2011Site Request Forgery flaw caused by missing nonce verification in the admin page handler. This weakness allows an attacker to craft a forged request that, when executed by a site administrator who follows a malicious link, will change the plugin\u2019s configuration. The outcome is that an attacker can alter or disable settings set by the administrator, potentially weakening site security or other plugin functions.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity. The EPSS score of < 1% shows that while the probability of exploitation is very low, attacks are still possible. The flaw is not listed in CISA KEV. An attacker would need to lure a website administrator into clicking a crafted link or otherwise submitting a forged request. No special privileges are required beyond the admin role, and no additional system access is needed, making the attack path relatively straightforward for a social engineering vector."}}}}, "created": "2026-01-26T11:48:33.842099+00:00", "updated": "2026-04-21T16:15:40.504918+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}