Platform
wordpress
Component
lucky-draw
Fixed in
4.2.1
CVE-2025-14462 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the Lucky Draw Contests plugin for WordPress. This flaw allows unauthenticated attackers to manipulate plugin settings by tricking administrators into performing actions via crafted requests. The vulnerability impacts versions from 0.0.0 through 4.2, and a fix is expected in a future plugin release.
The CSRF vulnerability in Lucky Draw Contests allows an attacker to execute unauthorized actions on a WordPress site if a site administrator is tricked into clicking a malicious link. This could involve modifying contest settings, changing prize configurations, or even potentially altering other plugin-related data. Successful exploitation could lead to unauthorized modifications to the website's functionality and data integrity. The attack surface is broad, as any administrator with access to the plugin's settings page is potentially vulnerable. While the impact is not catastrophic, it can still disrupt website operations and compromise data.
This vulnerability was publicly disclosed on 2025-12-13. No public proof-of-concept (PoC) code has been released at the time of writing, but the CSRF nature of the vulnerability makes exploitation relatively straightforward. It is not currently listed on the CISA KEV catalog. The ease of exploitation, combined with the widespread use of WordPress plugins, suggests a potential for exploitation in the future.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-14462 is to upgrade to a patched version of the Lucky Draw Contests plugin as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds. These include restricting access to the plugin's settings page to authorized users only, and implementing strict input validation and output encoding to prevent malicious requests. Web Application Firewalls (WAFs) can be configured to filter out suspicious requests targeting the misc-settings.php file. Monitor WordPress logs for unusual activity or attempts to modify plugin settings.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-14462 is a Cross-Site Request Forgery (CSRF) vulnerability in the Lucky Draw Contests WordPress plugin, allowing attackers to modify plugin settings via forged requests.
You are affected if your WordPress site uses the Lucky Draw Contests plugin in versions 0.0.0 through 4.2. Upgrade to a patched version as soon as it's available.
The recommended fix is to upgrade to a patched version of the plugin. Until then, restrict access to plugin settings and implement WAF rules.
While no public exploits are currently known, the CSRF nature of the vulnerability suggests a potential for exploitation.
Check the plugin developer's website or the WordPress plugin repository for updates and advisories related to CVE-2025-14462.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.