Resource Library for Logged In Users <= 1.5 - Cross-Site Request Forgery zu Mehreren Administrativen Aktionen
Plattform
wordpress
Komponente
doubledome-resource-link-library
Behoben in
1.5.1
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Resource Library for Logged In Users plugin for WordPress. This flaw allows unauthenticated attackers to potentially perform unauthorized actions on a WordPress site if they can trick an administrator into clicking a malicious link. The vulnerability affects versions 1.0.0 through 1.5, but has been resolved in version 1.6.
Erkenne diese CVE in deinem Projekt
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Auswirkungen und Angriffsszenarienwird übersetzt…
The CSRF vulnerability allows an attacker to execute actions as the currently logged-in administrator. This includes the creation, modification, and deletion of resources and categories within the Resource Library. Successful exploitation could lead to unauthorized content being added to the site, sensitive data being altered, or critical resources being removed, potentially disrupting site functionality or compromising data integrity. The impact is amplified if the administrator has broad permissions within the WordPress installation.
Ausnutzungskontextwird übersetzt…
This vulnerability is publicly known and documented. While no active exploitation campaigns have been definitively linked to CVE-2025-14354 at the time of writing, the availability of CSRF exploitation techniques makes it a potential target. The vulnerability was disclosed on 2025-12-12. No KEV listing is currently available.
Wer Ist Gefährdetwird übersetzt…
WordPress sites utilizing the Resource Library for Logged In Users plugin, particularly those with shared hosting environments or legacy configurations where administrators may be more susceptible to social engineering attacks, are at risk. Sites where administrators routinely click links from untrusted sources are also more vulnerable.
Erkennungsschrittewird übersetzt…
• wordpress / composer / npm:
grep -r 'wp_nonce_field' /var/www/html/wp-content/plugins/resource-library-for-logged-in-users/• generic web:
curl -I https://example.com/wp-admin/admin-post.php?action=resource_library_create_resource&resource_name=TestResource&resource_content=TestContent | grep -i 'referer'Angriffszeitlinie
- Disclosure
disclosure
Bedrohungsanalyse
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
CVSS-Vektor
Was bedeuten diese Metriken?
- Attack Vector
- Netzwerk — aus der Ferne über das Internet ausnutzbar. Kein physischer oder lokaler Zugriff erforderlich.
- Attack Complexity
- Niedrig — keine besonderen Bedingungen erforderlich. Zuverlässig ausnutzbar.
- Privileges Required
- Keine — ohne Authentifizierung ausnutzbar. Keine Zugangsdaten erforderlich.
- User Interaction
- Erforderlich — Opfer muss eine Datei öffnen, auf einen Link klicken oder eine Seite besuchen.
- Scope
- Unverändert — Auswirkung auf das anfällige Komponente beschränkt.
- Confidentiality
- Keine — kein Vertraulichkeitseinfluss.
- Integrity
- Niedrig — Angreifer kann einige Daten mit begrenztem Umfang ändern.
- Availability
- Keine — kein Verfügbarkeitseinfluss.
Betroffene Software
Paketinformationen
- Aktive Installationen
- 40
- Plugin-Bewertung
- 0.0
- Erfordert WordPress
- 5.4+
- Kompatibel bis
- 6.9.4
Schwachstellen-Klassifikation (CWE)
Zeitleiste
- Reserviert
- Veröffentlicht
- Geändert
- EPSS aktualisiert
Mitigation und Workaroundswird übersetzt…
The primary mitigation is to upgrade the Resource Library for Logged In Users plugin to version 1.6 or later. If immediate upgrading is not possible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) with CSRF protection rules to filter out malicious requests. Additionally, educate administrators to be cautious of suspicious links and avoid clicking them while logged into WordPress. Regularly review WordPress user permissions to minimize the potential impact of a successful attack.
So beheben
Aktualisieren Sie auf Version 1.6 oder eine neuere gepatchte Version
CVE-Sicherheitsnewsletter
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
Häufig gestellte Fragenwird übersetzt…
What is CVE-2025-14354 — CSRF in Resource Library for Logged In Users?
CVE-2025-14354 is a Cross-Site Request Forgery (CSRF) vulnerability affecting versions 1.0.0–1.5 of the Resource Library for Logged In Users WordPress plugin, allowing unauthorized actions.
Am I affected by CVE-2025-14354 in Resource Library for Logged In Users?
If you are using the Resource Library for Logged In Users plugin in WordPress versions 1.0.0 through 1.5, you are potentially affected by this vulnerability.
How do I fix CVE-2025-14354 in Resource Library for Logged In Users?
Upgrade the Resource Library for Logged In Users plugin to version 1.6 or later to resolve the CSRF vulnerability. Consider a WAF as a temporary mitigation.
Is CVE-2025-14354 being actively exploited?
While no confirmed active exploitation campaigns are currently known, the vulnerability's nature makes it a potential target.
Where can I find the official Resource Library advisory for CVE-2025-14354?
Refer to the plugin developer's website or the WordPress plugin repository for the latest advisory and update information.
Ist dein Projekt betroffen?
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.