Platform
wordpress
Component
auto-post-to-social-media-wp-to-social-champ
Fixed in
1.3.6
CVE-2025-14846 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the Social Champ WordPress plugin. This flaw allows unauthenticated attackers to potentially modify plugin settings if they can induce a site administrator to perform actions through crafted requests. The vulnerability impacts versions 1.0.0 through 1.3.5 of the plugin, and a fix is available in version 1.3.6.
The primary impact of this CSRF vulnerability is the potential for unauthorized modification of plugin settings. An attacker could craft malicious links or forms that, when clicked by a site administrator, would silently execute actions on their behalf. This could involve altering social media posting schedules, changing API keys, or modifying other critical plugin configurations. The blast radius is limited to the plugin's functionality, but successful exploitation could lead to compromised social media accounts and potentially damage a website's reputation. While the vulnerability requires user interaction (an administrator clicking a malicious link), the ease of crafting such links makes it a significant risk.
This vulnerability was publicly disclosed on 2026-01-14. There are currently no known public proof-of-concept exploits available. It is not listed on the CISA KEV catalog at the time of writing. The medium CVSS score reflects the requirement for user interaction, but the potential impact warrants prompt remediation.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation is to immediately upgrade the Social Champ plugin to version 1.3.6 or later. This version includes the necessary nonce validation to prevent CSRF attacks. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out suspicious requests targeting the wpscsettingstab_menu function. Additionally, educate administrators about the risks of clicking on untrusted links and the importance of verifying the source of any requests they are prompted to approve. After upgrading, confirm the fix by attempting to trigger a setting change via a crafted CSRF request – it should be rejected.
Update to version 1.3.6, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-14846 is a Cross-Site Request Forgery (CSRF) vulnerability in the Social Champ WordPress plugin, allowing attackers to modify settings if an administrator clicks a malicious link.
You are affected if you are using Social Champ for WordPress versions 1.0.0 through 1.3.5. Upgrade to 1.3.6 or later to mitigate the risk.
Upgrade the Social Champ plugin to version 1.3.6 or later. Consider a WAF rule to filter suspicious requests targeting the vulnerable function as a temporary workaround.
There are currently no confirmed reports of active exploitation, but the vulnerability's ease of exploitation warrants prompt remediation.
Refer to the Social Champ website and WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.