Plattform
wordpress
Komponente
kento-latest-tabs
Behoben in
1.5.1
CVE-2025-14999 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Latest Tabs WordPress plugin. This flaw allows unauthenticated attackers to modify plugin settings if they can trick a site administrator into performing an action, such as clicking a malicious link. The vulnerability affects versions 1.0.0 through 1.5, and a fix is available in version 1.6.
The primary impact of this CSRF vulnerability lies in the potential for unauthorized modification of the Latest Tabs plugin's settings. An attacker could leverage this to alter the plugin's behavior, potentially redirecting users, injecting malicious content, or disrupting site functionality. While the plugin itself may not contain sensitive data, changes to its configuration could have broader implications for the WordPress site's overall security posture. Successful exploitation requires the attacker to convince a site administrator to interact with a crafted request, making social engineering a key component of the attack.
CVE-2025-14999 was published on 2026-01-07. No public proof-of-concept (PoC) code is currently known. The vulnerability's relatively low complexity and reliance on social engineering suggest a medium probability of exploitation (EPSS score likely medium). It is not currently listed on the CISA KEV catalog.
WordPress sites utilizing the Latest Tabs plugin, particularly those with administrative accounts that are frequently targeted by phishing or social engineering attacks, are at risk. Shared hosting environments where multiple WordPress installations share the same server resources could also be affected if one site is compromised and used to launch attacks against others.
• wordpress / composer / npm:
grep -r 'admin-page.php' /var/www/html/wp-content/plugins/latest-tabs/• wordpress / composer / npm:
wp plugin list --status=all | grep 'latest-tabs'• wordpress / composer / npm:
wp plugin update latest-tabs --alldisclosure
Exploit-Status
EPSS
0.02% (4% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation for CVE-2025-14999 is to immediately upgrade the Latest Tabs plugin to version 1.6 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter out requests lacking proper nonce validation on the admin-page.php settings update handler. Additionally, carefully review any suspicious activity in the WordPress admin interface, particularly related to plugin settings. After upgrading, confirm the fix by attempting to submit a forged request to the settings update handler and verifying that it is rejected.
Kein bekannter Patch verfügbar. Bitte überprüfen Sie die Details der Vulnerability im Detail und setzen Sie Mitigationen basierend auf der Risikobereitschaft Ihrer Organisation ein. Es kann am besten sein, die betroffene Software zu deinstallieren und einen Ersatz zu finden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-14999 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Latest Tabs WordPress plugin versions 1.0.0–1.5, allowing attackers to modify plugin settings via forged requests.
You are affected if your WordPress site uses the Latest Tabs plugin and is running versions 1.0.0 through 1.5. Upgrade to version 1.6 or later to mitigate the risk.
Upgrade the Latest Tabs plugin to version 1.6 or later. As a temporary workaround, implement a WAF rule to filter requests lacking proper nonce validation.
There are currently no confirmed reports of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the WordPress plugin repository and the Latest Tabs plugin developer's website for the official advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.