{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14999", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-20T17:34:28.997Z", "datePublished": "2026-01-07T08:21:53.250Z", "dateUpdated": "2026-04-08T17:04:08.966Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:08.966Z"}, "affected": [{"vendor": "kentothemes", "product": "Latest Tabs", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Latest Tabs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the settings update handler in admin-page.php. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Latest Tabs <= 1.5 - Cross-Site Request Forgery to Plugin's Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/837f49e6-dcba-4451-bbbe-14890ab87207?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/kento-latest-tabs/trunk/admin-page.php#L7"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "omer yeshayahu"}], "timeline": [{"time": "2025-12-14T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-01-06T20:02:48.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-07T16:35:22.187082Z", "id": "CVE-2025-14999", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T16:35:28.785Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14999", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-07T16:35:22.187082Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T16:35:25.341Z"}}], "cna": {"title": "Latest Tabs <= 1.5 - Cross-Site Request Forgery to Plugin's Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "omer yeshayahu"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "kentothemes", "product": "Latest Tabs", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-14T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-01-06T20:02:48.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/837f49e6-dcba-4451-bbbe-14890ab87207?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/kento-latest-tabs/trunk/admin-page.php#L7"}], "descriptions": [{"lang": "en", "value": "The Latest Tabs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the settings update handler in admin-page.php. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-01-07T08:21:53.250Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14999", "state": "PUBLISHED", "dateUpdated": "2026-01-07T16:35:28.785Z", "dateReserved": "2025-12-20T17:34:28.997Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-07T08:21:53.250Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Latest Tabs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the settings update handler in admin-page.php. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-14999", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-07T12:16:58.240", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/kento-latest-tabs/trunk/admin-page.php#L7"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/837f49e6-dcba-4451-bbbe-14890ab87207?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T16:45:03.267724+00:00", "value": {"mitigation_remediation": ["Upgrade Kentothemes\u2019 Latest Tabs plugin to a version newer than 1.5, when available", "If an upgrade is not feasible, disable or uninstall the plugin to eliminate the attack surface", "Verify that all settings update endpoints within the plugin include proper WordPress nonce checks to prevent future CSRF attempts"], "summary": {"action": "Patch", "impact": "Unauthorized configuration changes via CSRF"}, "threat_synthesis": {"affected_systems": "Kentothemes\u2019 Latest Tabs plugin is affected in all releases up to and including version 1.5. Users of any installation of this plugin that has not been updated beyond 1.5 are at risk.", "description_and_impact": "The Latest Tabs plugin for WordPress suffers from a Cross\u2011Site Request Forgery flaw caused by missing or incorrect nonce validation in the settings update handler located in admin-page.php. As a result, an attacker who can persuade a site administrator to click a malicious link can alter the plugin\u2019s configuration settings without authentication. This weakness is classified under CWE\u2011352, indicating the vulnerability arises from insufficient request validation. The impact is limited to configuration changes, but such changes could indirectly affect site behaviour or enable further compromise if the plugin controls critical display functions.", "risk_and_exploitability": "The CVSS score of 4.3 reflects moderate severity, while the EPSS score of less than 1% suggests a low likelihood of real\u2011world exploitation at present. The vulnerability is not listed in CISA\u2019s KEV catalog, indicating it is not registered as a known actively exploited weakness. Exploitation requires an attacker to convince an administrator to visit a crafted URL; no elevated privileges or server-side access are needed for the attack to succeed."}}}}, "created": "2026-01-08T09:49:18.463799+00:00", "updated": "2026-04-21T16:45:15.222789+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}