Animated Pixel Marquee Creator <= 1.0.0 - Cross-Site Request Forgery via 'marquee' Parameter

The primary impact of this CSRF vulnerability is the unauthorized deletion of marquees within the WordPress site. An attacker could craft a malicious link that, when clicked by an administrator, triggers the deletion of marquees without the administrator's explicit consent. This could lead to data loss, disruption of site functionality, and potential defacement if marquees contain important information. While the impact is limited to the plugin's functionality, it highlights the importance of proper input validation and nonce protection in WordPress plugins.

WordPress sites using the Animated Pixel Marquee Creator plugin, particularly those with site administrators who are not vigilant about clicking on suspicious links, are at risk. Shared hosting environments where multiple users share the same server and WordPress installation are also potentially more vulnerable.

• wordpress / composer / npm:

grep -r 'marquee' /var/www/html/wp-content/plugins/animated-pixel-marquee-creator/

• generic web:

curl -I https://example.com/wp-admin/admin-ajax.php?action=marquee_delete&marquee=X | grep -i '200 ok'

1. 2025-12-12Disclosure

   disclosure

1. Reserviert2025-12-04
2. Veröffentlicht2025-12-12
3. Geändert2026-04-08
4. EPSS aktualisiert2026-03-23

The primary mitigation for CVE-2025-14062 is to upgrade the Animated Pixel Marquee Creator plugin to a patched version as soon as it becomes available. Until a patch is released, consider implementing a Web Application Firewall (WAF) rule to filter out requests with missing or invalid nonces for the marquee deletion function. Additionally, restrict access to the plugin's administrative interface and educate administrators about the risks of clicking on suspicious links. Regularly review WordPress plugin installations and remove any unused or outdated plugins.