Platform
wordpress
Component
last-email-address-validator
Fixed in
1.7.2
CVE-2025-14853 identifies a Cross-Site Request Forgery (XSRF) vulnerability within the LEAV Last Email Address Validator plugin for WordPress. This flaw allows unauthenticated attackers to manipulate plugin settings through crafted requests, potentially compromising email validation processes. The vulnerability affects versions from 0.0.0 up to and including 1.7.1. A patch is expected to be released by the vendor.
The primary impact of this XSRF vulnerability lies in the ability of an attacker to modify the plugin's configuration settings. Successful exploitation could lead to attackers altering email validation rules, potentially allowing spam or malicious emails to bypass filters. This could result in users receiving unwanted or harmful communications, impacting the overall security and reputation of the WordPress site. While the vulnerability requires tricking a site administrator into performing an action (e.g., clicking a malicious link), the potential for widespread impact across multiple users makes it a significant concern. The attacker does not need authentication to exploit the vulnerability, only to craft a request that appears legitimate to the plugin.
CVE-2025-14853 was publicly disclosed on 2026-01-16. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability's relatively low CVSS score (4.3) suggests a lower probability of exploitation, but the ease of exploitation (no authentication required) warrants attention. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.01% (3% percentile)
CISA SSVC
CVSS Vector
The most effective mitigation is to upgrade to a patched version of the LEAV Last Email Address Validator plugin as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds. These include restricting access to the plugin's settings page to authenticated administrators only, and implementing stricter input validation on all parameters passed to the displaysettingspage function. Web Application Firewalls (WAFs) can be configured to detect and block suspicious requests targeting this endpoint. Monitor WordPress logs for unusual activity related to the plugin's settings.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-14853 is a Cross-Site Request Forgery (XSRF) vulnerability affecting the LEAV Last Email Address Validator WordPress plugin, allowing attackers to modify plugin settings via forged requests.
You are affected if your WordPress site uses the LEAV Last Email Address Validator plugin in versions 0.0.0–1.7.1. Upgrade as soon as a patch is available.
The primary fix is to upgrade to a patched version of the LEAV Last Email Address Validator plugin. Until then, implement temporary workarounds like restricting access to the settings page.
There is currently no confirmed active exploitation of CVE-2025-14853, but the ease of exploitation warrants vigilance.
Check the LEAV Last Email Address Validator plugin's official website or WordPress plugin repository for updates and advisories related to CVE-2025-14853.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.