Plattform
wordpress
Komponente
accelerated-mobile-pages
Behoben in
1.2.0
CVE-2025-14468 describes a Cross-Site Request Forgery (XSRF) vulnerability discovered in the AMP for WP – Accelerated Mobile Pages plugin for WordPress. This flaw allows unauthenticated attackers to potentially submit comments as logged-in users, impacting website integrity and user accounts. The vulnerability affects versions from 1.0.0 through 1.1.9, and a fix is available in version 1.1.10.
The primary impact of this XSRF vulnerability lies in the potential for unauthorized comment submissions. An attacker could craft a malicious link or embed a hidden form that, when triggered by a logged-in user, submits a comment on their behalf. This could be used to spread spam, deface the website with inappropriate content, or even impersonate the user. The success of the attack hinges on the attacker's ability to trick a user into clicking the malicious link or visiting the crafted page while logged into WordPress. The blast radius is limited to the website's comment section and the accounts of logged-in users.
This vulnerability was publicly disclosed on 2026-01-07. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Given the relatively straightforward nature of XSRF attacks and the plugin's popularity, it is prudent to apply the patch promptly.
Websites using the AMP for WP plugin, particularly those with active comment sections and a significant number of logged-in users, are at risk. Shared hosting environments where multiple websites share the same server resources are also potentially vulnerable, as a compromise on one site could lead to attacks targeting others.
• wordpress / composer / npm:
grep -r 'amp_theme_ajaxcomments' /var/www/html/wp-content/plugins/amp-wp/• wordpress / composer / npm:
wp plugin list --status=active | grep 'amp-wp'• wordpress / composer / npm:
wp plugin update amp-wp --version=1.1.10• wordpress / composer / npm:
wp plugin status amp-wp• wordpress / composer / npm:
wp plugin list --all | grep 'AMP for WP'disclosure
Exploit-Status
EPSS
0.03% (9% Perzentil)
CISA SSVC
CVSS-Vektor
The most effective mitigation is to immediately upgrade the AMP for WP plugin to version 1.1.10 or later. This version contains the necessary fix to address the inverted nonce verification logic. As an interim measure, disabling the plugin's template mode can reduce the attack surface, although this may impact the plugin's functionality. Regularly review WordPress user accounts and monitor comment submissions for suspicious activity. Consider implementing a Web Application Firewall (WAF) with XSRF protection rules to further mitigate the risk.
Aktualisieren Sie auf Version 1.1.10 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-14468 is a Cross-Site Request Forgery (XSRF) vulnerability in the AMP for WP plugin, allowing attackers to submit comments as logged-in users if template mode is enabled.
You are affected if you are using AMP for WP versions 1.0.0 through 1.1.9 and have the plugin's template mode enabled.
Upgrade the AMP for WP plugin to version 1.1.10 or later. Disabling template mode is a temporary mitigation.
There are currently no known active exploits, but the vulnerability's nature makes it a potential target.
Refer to the official AMP for WP plugin documentation and WordPress security announcements for the latest information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.