Platform
wordpress
Component
simcast
Fixed in
1.0.1
CVE-2025-14077 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the Simcast plugin for WordPress. This flaw allows unauthenticated attackers to manipulate plugin settings if they can trick a site administrator into performing an action. The vulnerability impacts versions 1.0.0 and earlier, and a fix is expected in a future release.
The primary impact of this CSRF vulnerability is the potential for unauthorized modification of the Simcast plugin's settings. An attacker could craft a malicious link or embed a hidden form on a website that, when visited by an administrator, would trigger a forged request to alter the plugin's configuration. This could lead to unexpected behavior, data corruption, or even compromise the integrity of the WordPress site. While the plugin itself may not handle sensitive data directly, changes to its settings could indirectly impact other functionalities or expose the site to further vulnerabilities.
This vulnerability was publicly disclosed on 2026-01-07. No public proof-of-concept (PoC) code has been released at the time of writing. The EPSS score is pending evaluation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (3% percentile)
CISA SSVC
CVSS Vector
The immediate mitigation for CVE-2025-14077 is to disable or remove the Simcast plugin until a patched version is available. If disabling is not an option, implement strict access controls and educate administrators about the risks of clicking on suspicious links or forms. Consider using a Web Application Firewall (WAF) with CSRF protection rules to filter out malicious requests. Regularly review plugin settings for any unauthorized changes. Monitor WordPress logs for unusual activity related to the Simcast plugin.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-14077 is a Cross-Site Request Forgery (CSRF) vulnerability in the Simcast WordPress plugin, allowing attackers to modify plugin settings via forged requests.
If you are using Simcast plugin version 1.0.0 or earlier, you are potentially affected by this vulnerability.
Upgrade to a patched version of the Simcast plugin as soon as it becomes available. Until then, disable or remove the plugin.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known.
Check the Simcast plugin's official website or WordPress plugin repository for updates and advisories related to CVE-2025-14077.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.