Platform
wordpress
Component
kento-latest-tabs
Fixed in
1.5.1
CVE-2025-14999 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Latest Tabs WordPress plugin. This flaw allows unauthenticated attackers to modify plugin settings if they can trick a site administrator into performing an action, such as clicking a malicious link. The vulnerability affects versions 1.0.0 through 1.5, and a fix is available in version 1.6.
The primary impact of this CSRF vulnerability lies in the potential for unauthorized modification of the Latest Tabs plugin's settings. An attacker could leverage this to alter the plugin's behavior, potentially redirecting users, injecting malicious content, or disrupting site functionality. While the plugin itself may not contain sensitive data, changes to its configuration could have broader implications for the WordPress site's overall security posture. Successful exploitation requires the attacker to convince a site administrator to interact with a crafted request, making social engineering a key component of the attack.
CVE-2025-14999 was published on 2026-01-07. No public proof-of-concept (PoC) code is currently known. The vulnerability's relatively low complexity and reliance on social engineering suggest a medium probability of exploitation (EPSS score likely medium). It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2025-14999 is to immediately upgrade the Latest Tabs plugin to version 1.6 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter out requests lacking proper nonce validation on the admin-page.php settings update handler. Additionally, carefully review any suspicious activity in the WordPress admin interface, particularly related to plugin settings. After upgrading, confirm the fix by attempting to submit a forged request to the settings update handler and verifying that it is rejected.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-14999 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Latest Tabs WordPress plugin versions 1.0.0–1.5, allowing attackers to modify plugin settings via forged requests.
You are affected if your WordPress site uses the Latest Tabs plugin and is running versions 1.0.0 through 1.5. Upgrade to version 1.6 or later to mitigate the risk.
Upgrade the Latest Tabs plugin to version 1.6 or later. As a temporary workaround, implement a WAF rule to filter requests lacking proper nonce validation.
There are currently no confirmed reports of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the WordPress plugin repository and the Latest Tabs plugin developer's website for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.