Platform
wordpress
Component
newsletter-email-subscribe
Fixed in
2.5.4
CVE-2025-14904 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Newsletter Email Subscribe plugin for WordPress. This flaw allows unauthenticated attackers to modify plugin settings if they can trick a site administrator into performing a malicious action. The vulnerability impacts versions from 0.0.0 up to and including 2.4, and a patch is available in version 2.5.4.
The primary impact of this CSRF vulnerability is the potential for unauthorized modification of the Newsletter Email Subscribe plugin's settings. An attacker could leverage this to alter subscription lists, change email templates, or disable important features. Successful exploitation could lead to spam campaigns, data breaches (if email addresses are exposed), and disruption of legitimate email marketing efforts. The attack vector relies on social engineering, requiring the attacker to convince a site administrator to click a malicious link, but the potential consequences are significant, especially for sites heavily reliant on the plugin for email marketing.
This vulnerability was publicly disclosed on 2026-01-07. There are currently no known public proof-of-concept exploits available. The vulnerability's severity is rated MEDIUM, suggesting a moderate probability of exploitation, particularly given the plugin's popularity and the relatively simple attack vector. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The most effective mitigation is to immediately upgrade the Newsletter Email Subscribe plugin to version 2.5.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by adding nonce validation to the nelssettingspage function. While not a complete fix, this can significantly reduce the risk. Web application firewalls (WAFs) configured to detect and block CSRF attacks can also provide an additional layer of protection. Regularly review WordPress plugin settings for any unauthorized changes.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-14904 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Newsletter Email Subscribe plugin for WordPress versions 0.0.0–2.4, allowing attackers to modify plugin settings via forged requests.
You are affected if you are using the Newsletter Email Subscribe plugin in WordPress versions 0.0.0 through 2.4. Upgrade to 2.5.4 to resolve the vulnerability.
Upgrade the Newsletter Email Subscribe plugin to version 2.5.4 or later. As a temporary workaround, implement nonce validation in the nelssettingspage function.
There are currently no confirmed reports of active exploitation, but the vulnerability's ease of exploitation warrants caution.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.