Plattform
wordpress
Komponente
auto-post-to-social-media-wp-to-social-champ
Behoben in
1.3.6
CVE-2025-14846 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the Social Champ WordPress plugin. This flaw allows unauthenticated attackers to potentially modify plugin settings if they can induce a site administrator to perform actions through crafted requests. The vulnerability impacts versions 1.0.0 through 1.3.5 of the plugin, and a fix is available in version 1.3.6.
The primary impact of this CSRF vulnerability is the potential for unauthorized modification of plugin settings. An attacker could craft malicious links or forms that, when clicked by a site administrator, would silently execute actions on their behalf. This could involve altering social media posting schedules, changing API keys, or modifying other critical plugin configurations. The blast radius is limited to the plugin's functionality, but successful exploitation could lead to compromised social media accounts and potentially damage a website's reputation. While the vulnerability requires user interaction (an administrator clicking a malicious link), the ease of crafting such links makes it a significant risk.
This vulnerability was publicly disclosed on 2026-01-14. There are currently no known public proof-of-concept exploits available. It is not listed on the CISA KEV catalog at the time of writing. The medium CVSS score reflects the requirement for user interaction, but the potential impact warrants prompt remediation.
Websites utilizing the Social Champ plugin, particularly those with administrators who are not adequately trained in security best practices, are at risk. Shared hosting environments where plugin updates are managed centrally are also vulnerable if they haven't applied the update.
• wordpress / composer / npm:
grep -r 'wpsc_settings_tab_menu' /var/www/html/wp-content/plugins/social-champ/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/social-champ/ | grep -i 'wpsc_settings_tab_menu'disclosure
Exploit-Status
EPSS
0.02% (4% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation is to immediately upgrade the Social Champ plugin to version 1.3.6 or later. This version includes the necessary nonce validation to prevent CSRF attacks. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out suspicious requests targeting the wpscsettingstab_menu function. Additionally, educate administrators about the risks of clicking on untrusted links and the importance of verifying the source of any requests they are prompted to approve. After upgrading, confirm the fix by attempting to trigger a setting change via a crafted CSRF request – it should be rejected.
Aktualisieren Sie auf Version 1.3.6 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-14846 is a Cross-Site Request Forgery (CSRF) vulnerability in the Social Champ WordPress plugin, allowing attackers to modify settings if an administrator clicks a malicious link.
You are affected if you are using Social Champ for WordPress versions 1.0.0 through 1.3.5. Upgrade to 1.3.6 or later to mitigate the risk.
Upgrade the Social Champ plugin to version 1.3.6 or later. Consider a WAF rule to filter suspicious requests targeting the vulnerable function as a temporary workaround.
There are currently no confirmed reports of active exploitation, but the vulnerability's ease of exploitation warrants prompt remediation.
Refer to the Social Champ website and WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.