Platform
wordpress
Component
simple-crypto-shortcodes
Fixed in
1.0.3
CVE-2025-14903 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the Simple Crypto Shortcodes plugin for WordPress. This vulnerability allows unauthenticated attackers to potentially modify plugin settings if they can convince a site administrator to perform a malicious action. The vulnerability impacts versions 1.0.0 through 1.0.2 of the plugin, and a fix is available in a subsequent release.
The core impact of this CSRF vulnerability lies in the ability of an attacker to manipulate plugin settings without proper authentication. By crafting a malicious link or form, an attacker can trick a logged-in administrator into unknowingly executing actions that modify the Simple Crypto Shortcodes plugin's configuration. This could lead to unintended changes in plugin behavior, potential data exposure, or even the introduction of malicious code. The attack surface is limited to administrators with access to the plugin's backend, but successful exploitation could have significant consequences for the WordPress site's security and functionality.
This vulnerability was publicly disclosed on 2026-01-24. There are currently no known public exploits or active campaigns targeting this specific vulnerability. The CVSS score of 4.3 (MEDIUM) indicates a moderate level of risk. It is not listed on the CISA KEV catalog at the time of writing.
Exploit Status
EPSS
0.01% (0% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-14903 is to upgrade the Simple Crypto Shortcodes plugin to a version that addresses the missing nonce validation. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting access to the plugin's backend settings to trusted users only. Implementing a Web Application Firewall (WAF) with CSRF protection rules can also help to block malicious requests. Regularly review WordPress plugin settings for any unauthorized changes.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-14903 is a Cross-Site Request Forgery (CSRF) vulnerability in the Simple Crypto Shortcodes WordPress plugin, allowing attackers to modify settings via forged requests.
You are affected if you are using Simple Crypto Shortcodes plugin versions 1.0.0 through 1.0.2.
Upgrade the Simple Crypto Shortcodes plugin to a patched version that addresses the nonce validation issue. If upgrading is not possible, restrict access to plugin settings.
There are currently no known public exploits or active campaigns targeting this specific vulnerability.
Refer to the WordPress security announcements and the Simple Crypto Shortcodes plugin developer's website for official advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.