Platform
wordpress
Component
adminquickbar
Fixed in
1.9.4
CVE-2025-14630 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the AdminQuickbar plugin for WordPress. This flaw allows unauthenticated attackers to manipulate plugin settings and update post titles if they can induce a site administrator to perform a malicious action. The vulnerability impacts versions 1.0.0 through 1.9.3, and a patch is available in version 1.9.4.
The primary impact of this CSRF vulnerability lies in the potential for unauthorized modification of the AdminQuickbar plugin's configuration and the ability to alter post titles. An attacker could craft a malicious link or embed a hidden form on a website that, when visited by an administrator, would trigger a forged request. This could lead to changes in plugin behavior, potentially impacting site functionality or security. While the vulnerability requires administrator interaction, the ease of crafting CSRF attacks makes it a significant risk, especially on sites with a large user base or frequent administrator activity. The attacker does not need to authenticate to exploit this vulnerability, only to trick an authenticated administrator.
This vulnerability was publicly disclosed on 2026-01-24. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Given the relatively straightforward nature of CSRF exploitation and the plugin's popularity, it is prudent to assume that a public exploit could emerge in the future.
Exploit Status
EPSS
0.01% (0% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation is to immediately upgrade the AdminQuickbar plugin to version 1.9.4 or later. If upgrading is not immediately feasible due to compatibility concerns or testing requirements, consider implementing temporary workarounds. These might include restricting administrator access to sensitive areas of the plugin's configuration page or implementing stricter input validation on the 'saveSettings' and 'renamePost' AJAX actions. Web Application Firewalls (WAFs) configured to detect and block CSRF attacks can also provide an additional layer of protection. After upgrading, verify the fix by attempting to trigger a forged request and confirming that the action is blocked.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-14630 is a Cross-Site Request Forgery (CSRF) vulnerability in the AdminQuickbar WordPress plugin, allowing attackers to modify settings and post titles if they can trick an administrator into clicking a malicious link.
Yes, if you are using AdminQuickbar plugin versions 1.0.0 through 1.9.3, you are affected by this vulnerability.
Upgrade the AdminQuickbar plugin to version 1.9.4 or later to resolve this vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
There are currently no known active exploits, but the vulnerability's nature suggests potential for future exploitation.
Refer to the AdminQuickbar plugin's official website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.