Platform
wordpress
Component
afiliados-de-amazon-lite
Fixed in
1.0.1
CVE-2025-14734 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the Amazon affiliate lite Plugin for WordPress. This flaw allows attackers to manipulate plugin settings by crafting malicious requests, potentially altering affiliate tracking configurations or other plugin-specific settings. The vulnerability impacts versions 1.0.0 and earlier. A fix is expected in a future plugin release.
An attacker could exploit this CSRF vulnerability to modify the Amazon affiliate lite Plugin's settings without requiring authentication. This could involve changing affiliate IDs, altering tracking parameters, or even disabling certain plugin features. The impact extends beyond simple configuration changes; an attacker could potentially redirect affiliate revenue or inject malicious code through plugin settings, leading to financial losses or further compromise of the WordPress site. The ease of exploitation, requiring only tricking a site administrator into clicking a malicious link, increases the potential for widespread abuse.
This vulnerability was publicly disclosed on 2025-12-20. No public proof-of-concept (PoC) code has been released at the time of writing, but the ease of exploitation suggests a moderate risk of exploitation. It is not currently listed on CISA KEV. The vulnerability's reliance on social engineering (tricking an administrator) contributes to its exploitability.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to a patched version of the Amazon affiliate lite Plugin once available. Until a patch is released, consider implementing temporary workarounds. These include restricting access to the plugin's settings page to authenticated administrators only, using a WordPress security plugin with CSRF protection, or implementing a Web Application Firewall (WAF) rule to block suspicious requests targeting the 'ADALsettingspage' function. Regularly monitor WordPress logs for unusual activity related to plugin settings updates.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-14734 is a Cross-Site Request Forgery vulnerability in the Amazon affiliate lite Plugin for WordPress versions up to 1.0.0, allowing attackers to modify plugin settings via forged requests.
If you are using the Amazon affiliate lite Plugin version 1.0.0 or earlier, you are potentially affected by this vulnerability.
Upgrade to a patched version of the Amazon affiliate lite Plugin as soon as it becomes available. Until then, implement temporary workarounds like restricting access to settings or using a WAF.
While no public exploits are currently known, the ease of exploitation suggests a potential for active exploitation.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.