Plataforma
wordpress
Componente
adminquickbar
Corregido en
1.9.4
CVE-2025-14630 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the AdminQuickbar plugin for WordPress. This flaw allows unauthenticated attackers to manipulate plugin settings and update post titles if they can induce a site administrator to perform a malicious action. The vulnerability impacts versions 1.0.0 through 1.9.3, and a patch is available in version 1.9.4.
The primary impact of this CSRF vulnerability lies in the potential for unauthorized modification of the AdminQuickbar plugin's configuration and the ability to alter post titles. An attacker could craft a malicious link or embed a hidden form on a website that, when visited by an administrator, would trigger a forged request. This could lead to changes in plugin behavior, potentially impacting site functionality or security. While the vulnerability requires administrator interaction, the ease of crafting CSRF attacks makes it a significant risk, especially on sites with a large user base or frequent administrator activity. The attacker does not need to authenticate to exploit this vulnerability, only to trick an authenticated administrator.
This vulnerability was publicly disclosed on 2026-01-24. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Given the relatively straightforward nature of CSRF exploitation and the plugin's popularity, it is prudent to assume that a public exploit could emerge in the future.
Sites running the AdminQuickbar plugin versions 1.0.0 through 1.9.3 are at risk, particularly those with active site administrators who frequently log in and interact with the plugin's settings. Shared WordPress hosting environments where plugin updates are not consistently managed are also at increased risk.
• wordpress / plugin:
wp plugin list | grep AdminQuickbar• wordpress / plugin: Check the version number of the AdminQuickbar plugin. Versions prior to 1.9.4 are vulnerable.
• wordpress / plugin: Examine the plugin's code for missing or incorrect nonce validation in the 'saveSettings' and 'renamePost' AJAX actions. Look for instances where user input is processed without proper verification.
• generic web: Monitor server access logs for suspicious requests originating from unfamiliar sources targeting the plugin's AJAX endpoints (e.g., wp-admin/admin-ajax.php).
disclosure
Estado del Exploit
EPSS
0.01% (0% percentil)
CISA SSVC
Vector CVSS
The recommended mitigation is to immediately upgrade the AdminQuickbar plugin to version 1.9.4 or later. If upgrading is not immediately feasible due to compatibility concerns or testing requirements, consider implementing temporary workarounds. These might include restricting administrator access to sensitive areas of the plugin's configuration page or implementing stricter input validation on the 'saveSettings' and 'renamePost' AJAX actions. Web Application Firewalls (WAFs) configured to detect and block CSRF attacks can also provide an additional layer of protection. After upgrading, verify the fix by attempting to trigger a forged request and confirming that the action is blocked.
No se conoce ningún parche disponible. Por favor, revise los detalles de la vulnerabilidad en profundidad y emplee mitigaciones basadas en la tolerancia al riesgo de su organización. Puede ser mejor desinstalar el software afectado y buscar un reemplazo.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-14630 is a Cross-Site Request Forgery (CSRF) vulnerability in the AdminQuickbar WordPress plugin, allowing attackers to modify settings and post titles if they can trick an administrator into clicking a malicious link.
Yes, if you are using AdminQuickbar plugin versions 1.0.0 through 1.9.3, you are affected by this vulnerability.
Upgrade the AdminQuickbar plugin to version 1.9.4 or later to resolve this vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
There are currently no known active exploits, but the vulnerability's nature suggests potential for future exploitation.
Refer to the AdminQuickbar plugin's official website or WordPress plugin repository for the latest advisory and update information.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.