Plattform
wordpress
Komponente
last-email-address-validator
Behoben in
1.7.2
CVE-2025-14853 identifies a Cross-Site Request Forgery (XSRF) vulnerability within the LEAV Last Email Address Validator plugin for WordPress. This flaw allows unauthenticated attackers to manipulate plugin settings through crafted requests, potentially compromising email validation processes. The vulnerability affects versions from 0.0.0 up to and including 1.7.1. A patch is expected to be released by the vendor.
The primary impact of this XSRF vulnerability lies in the ability of an attacker to modify the plugin's configuration settings. Successful exploitation could lead to attackers altering email validation rules, potentially allowing spam or malicious emails to bypass filters. This could result in users receiving unwanted or harmful communications, impacting the overall security and reputation of the WordPress site. While the vulnerability requires tricking a site administrator into performing an action (e.g., clicking a malicious link), the potential for widespread impact across multiple users makes it a significant concern. The attacker does not need authentication to exploit the vulnerability, only to craft a request that appears legitimate to the plugin.
CVE-2025-14853 was publicly disclosed on 2026-01-16. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability's relatively low CVSS score (4.3) suggests a lower probability of exploitation, but the ease of exploitation (no authentication required) warrants attention. It is not currently listed on the CISA KEV catalog.
WordPress sites utilizing the LEAV Last Email Address Validator plugin, particularly those with site administrators who are susceptible to social engineering attacks, are at risk. Shared hosting environments where multiple websites share the same server resources could also be affected if one site is compromised.
• wordpress / composer / npm:
grep -r 'display_settings_page' /var/www/html/wp-content/plugins/leav-last-email-address-validator/• wordpress / composer / npm:
wp plugin list --status=inactive | grep leav-last-email-address-validator• wordpress / composer / npm:
wp plugin update --alldisclosure
Exploit-Status
EPSS
0.01% (3% Perzentil)
CISA SSVC
CVSS-Vektor
The most effective mitigation is to upgrade to a patched version of the LEAV Last Email Address Validator plugin as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds. These include restricting access to the plugin's settings page to authenticated administrators only, and implementing stricter input validation on all parameters passed to the displaysettingspage function. Web Application Firewalls (WAFs) can be configured to detect and block suspicious requests targeting this endpoint. Monitor WordPress logs for unusual activity related to the plugin's settings.
Kein bekannter Patch verfügbar. Bitte überprüfen Sie die Details der Schwachstelle eingehend und setzen Sie Schutzmaßnahmen basierend auf der Risikobereitschaft Ihrer Organisation um. Es kann am besten sein, die betroffene Software zu deinstallieren und eine Alternative zu finden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-14853 is a Cross-Site Request Forgery (XSRF) vulnerability affecting the LEAV Last Email Address Validator WordPress plugin, allowing attackers to modify plugin settings via forged requests.
You are affected if your WordPress site uses the LEAV Last Email Address Validator plugin in versions 0.0.0–1.7.1. Upgrade as soon as a patch is available.
The primary fix is to upgrade to a patched version of the LEAV Last Email Address Validator plugin. Until then, implement temporary workarounds like restricting access to the settings page.
There is currently no confirmed active exploitation of CVE-2025-14853, but the ease of exploitation warrants vigilance.
Check the LEAV Last Email Address Validator plugin's official website or WordPress plugin repository for updates and advisories related to CVE-2025-14853.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.