Platform
wordpress
Component
yml-for-yandex-market
Fixed in
5.0.26
5.0.26
CVE-2025-14545 is a Remote Code Execution (RCE) vulnerability affecting the YML for Yandex Market plugin for WordPress. This vulnerability allows authenticated attackers, specifically those with Shop Manager-level access or higher, to execute arbitrary code on the server. The vulnerability impacts versions of the plugin up to and including 5.0.26. A patch has been released in version 5.0.26.
Successful exploitation of CVE-2025-14545 could allow an attacker to gain complete control over the WordPress server hosting the vulnerable plugin. This could lead to data breaches, website defacement, malware installation, and further compromise of the entire network. The attacker's ability to execute arbitrary code means they can perform virtually any action they desire on the server, including accessing sensitive data, modifying configurations, and installing backdoors for persistent access. The impact is particularly severe given the widespread use of WordPress and the potential for large-scale compromise if the vulnerability is exploited.
CVE-2025-14545 was publicly disclosed on 2026-03-19. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The EPSS score is pending evaluation. It is recommended to prioritize patching due to the RCE nature of the vulnerability.
Exploit Status
EPSS
0.10% (28% percentile)
CVSS Vector
The primary mitigation for CVE-2025-14545 is to immediately upgrade the YML for Yandex Market plugin to version 5.0.26 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider restricting access to the plugin's administrative interface to only trusted users. While not a complete solution, this can limit the potential attack surface. Review user roles and permissions to ensure that only necessary privileges are granted. Monitor WordPress logs for any suspicious activity related to the plugin, such as unexpected code execution attempts.
Update to version 5.0.26, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-14545 is a Remote Code Execution vulnerability in the YML for Yandex Market WordPress plugin, allowing authenticated attackers to execute code on the server.
You are affected if you are using YML for Yandex Market version 5.0.26 or earlier. Upgrade to 5.0.26 to resolve the issue.
Upgrade the YML for Yandex Market plugin to version 5.0.26 or later through the WordPress plugin manager or via WP-CLI.
As of now, there are no confirmed reports of active exploitation, but the RCE nature warrants immediate patching.
Check the YML for Yandex Market plugin page on WordPress.org for updates and security advisories.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.