Plattform
wordpress
Komponente
afiliados-de-amazon-lite
Behoben in
1.0.1
CVE-2025-14734 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the Amazon affiliate lite Plugin for WordPress. This flaw allows attackers to manipulate plugin settings by crafting malicious requests, potentially altering affiliate tracking configurations or other plugin-specific settings. The vulnerability impacts versions 1.0.0 and earlier. A fix is expected in a future plugin release.
An attacker could exploit this CSRF vulnerability to modify the Amazon affiliate lite Plugin's settings without requiring authentication. This could involve changing affiliate IDs, altering tracking parameters, or even disabling certain plugin features. The impact extends beyond simple configuration changes; an attacker could potentially redirect affiliate revenue or inject malicious code through plugin settings, leading to financial losses or further compromise of the WordPress site. The ease of exploitation, requiring only tricking a site administrator into clicking a malicious link, increases the potential for widespread abuse.
This vulnerability was publicly disclosed on 2025-12-20. No public proof-of-concept (PoC) code has been released at the time of writing, but the ease of exploitation suggests a moderate risk of exploitation. It is not currently listed on CISA KEV. The vulnerability's reliance on social engineering (tricking an administrator) contributes to its exploitability.
WordPress websites utilizing the Amazon affiliate lite Plugin, particularly those with shared hosting environments or lacking robust administrator training, are at increased risk. Sites with less frequent security audits and outdated plugin versions are also more vulnerable.
• wordpress / composer / npm:
grep -r 'ADAL_settings_page' /var/www/html/wp-content/plugins/amazon-affiliate-lite/• wordpress / composer / npm:
wp plugin list --status=all | grep 'amazon-affiliate-lite'• wordpress / composer / npm:
wp plugin list --status=active | grep 'amazon-affiliate-lite'disclosure
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade to a patched version of the Amazon affiliate lite Plugin once available. Until a patch is released, consider implementing temporary workarounds. These include restricting access to the plugin's settings page to authenticated administrators only, using a WordPress security plugin with CSRF protection, or implementing a Web Application Firewall (WAF) rule to block suspicious requests targeting the 'ADALsettingspage' function. Regularly monitor WordPress logs for unusual activity related to plugin settings updates.
Kein bekannter Patch verfügbar. Bitte überprüfen Sie die Details der Vulnerability im Detail und setzen Sie Mitigationen basierend auf der Risikobereitschaft Ihrer Organisation ein. Es kann am besten sein, die betroffene Software zu deinstallieren und einen Ersatz zu finden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-14734 is a Cross-Site Request Forgery vulnerability in the Amazon affiliate lite Plugin for WordPress versions up to 1.0.0, allowing attackers to modify plugin settings via forged requests.
If you are using the Amazon affiliate lite Plugin version 1.0.0 or earlier, you are potentially affected by this vulnerability.
Upgrade to a patched version of the Amazon affiliate lite Plugin as soon as it becomes available. Until then, implement temporary workarounds like restricting access to settings or using a WAF.
While no public exploits are currently known, the ease of exploitation suggests a potential for active exploitation.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.