Platform
wordpress
Component
sticky-action-buttons
Fixed in
1.1.1
CVE-2025-14465 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the Sticky Action Buttons plugin for WordPress. This flaw allows unauthenticated attackers to manipulate plugin settings by tricking an administrator into performing actions through a crafted request. The vulnerability impacts versions 0.0.0 through 1.1 and requires no authentication beyond the ability to induce an administrator to click a malicious link. A fix is expected in a future plugin release.
The primary impact of this CSRF vulnerability lies in the potential for unauthorized modification of the Sticky Action Buttons plugin's settings. An attacker could leverage this to alter the plugin's behavior, potentially injecting malicious code or redirecting users. While the plugin itself might not handle sensitive data directly, changes to its configuration could impact the overall site functionality and user experience. Successful exploitation could lead to defacement, redirection to phishing sites, or other disruptive actions. The attack relies on social engineering to trick an administrator into clicking a malicious link, making user awareness a crucial factor in preventing exploitation.
This vulnerability is currently not listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, suggesting a lower probability of immediate widespread exploitation. However, the ease of exploitation (requiring only social engineering) means it remains a potential threat. The vulnerability was publicly disclosed on 2026-01-07.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The immediate mitigation for CVE-2025-14465 is to disable the Sticky Action Buttons plugin until a patched version is available. If disabling the plugin is not feasible, implement strict input validation and output encoding on all plugin settings pages to prevent malicious data from being processed. Consider using a WordPress security plugin with CSRF protection features to add an extra layer of defense. Monitor WordPress logs for suspicious activity, particularly requests originating from unusual sources or containing unexpected parameters. Once a patched version is released, upgrade the plugin immediately to eliminate the vulnerability.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-14465 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Sticky Action Buttons plugin for WordPress versions 0.0.0–1.1, allowing attackers to modify plugin settings via forged requests.
You are affected if your WordPress site uses the Sticky Action Buttons plugin in versions 0.0.0 through 1.1. Upgrade or disable the plugin to mitigate the risk.
The recommended fix is to upgrade to a patched version of the Sticky Action Buttons plugin. Until a patch is available, disable the plugin or implement strict input validation.
While no widespread exploitation has been confirmed, the ease of exploitation means it remains a potential threat. Monitor your WordPress logs for suspicious activity.
Check the plugin developer's website or WordPress.org plugin page for updates and advisories related to CVE-2025-14465.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.