Platform
wordpress
Component
moderate-selected-posts
Fixed in
1.4.1
CVE-2025-14907 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Moderate Selected Posts plugin for WordPress. This flaw allows unauthenticated attackers to manipulate plugin settings by crafting malicious requests, potentially altering site behavior and functionality. The vulnerability impacts versions 1.0.0 through 1.4, and a patch is expected to be released by the plugin developer.
The core of this vulnerability lies in the lack of proper nonce verification within the mspadminpage() function. A CSRF attack exploits this by tricking a site administrator into unknowingly executing a malicious request. This could involve crafting a link or embedding a hidden form that, when accessed by an administrator, modifies the plugin's configuration. Potential impacts include unauthorized changes to post moderation rules, altered display settings, or even the injection of malicious code if the plugin handles user-supplied data in a vulnerable way. While the plugin itself doesn't directly handle sensitive data, modifications to its settings could indirectly impact other parts of the WordPress site.
This vulnerability was publicly disclosed on 2026-01-24. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Given the relatively low complexity of CSRF exploitation, it's reasonable to assume that attackers may develop and deploy exploits in the future.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-14907 is to upgrade to a patched version of the Moderate Selected Posts plugin as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds. Web Application Firewalls (WAFs) configured to detect and block CSRF attacks can provide an additional layer of protection. Enforcing strict Content Security Policy (CSP) headers can also help mitigate the risk by restricting the sources from which the browser can load resources. Regularly review plugin settings and user permissions to identify any unauthorized changes.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-14907 is a Cross-Site Request Forgery (CSRF) vulnerability affecting versions 1.0.0–1.4 of the Moderate Selected Posts WordPress plugin, allowing attackers to modify plugin settings via forged requests.
You are affected if your WordPress site uses the Moderate Selected Posts plugin in versions 1.0.0 through 1.4. Upgrade to a patched version as soon as available.
The recommended fix is to upgrade to a patched version of the Moderate Selected Posts plugin. Until a patch is released, consider WAF rules and CSP.
There are currently no confirmed reports of active exploitation, but the vulnerability's nature suggests potential for future attacks.
Check the Moderate Selected Posts plugin website or WordPress plugin repository for updates and security advisories related to CVE-2025-14907.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.