Plataforma
wordpress
Componente
enteraddons
Corregido en
2.3.3
CVE-2026-25014 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the themelooks Enter Addons WordPress plugin. This flaw allows an attacker to trick authenticated users into performing actions they did not intend to, potentially leading to unauthorized modifications or deletions within the plugin's functionality. The vulnerability impacts versions from 0.0.0 up to and including 2.3.2, and a fix is available in version 2.3.3.
A successful CSRF attack could allow an attacker to modify plugin settings, delete data, or perform other actions as the logged-in user. The impact is directly proportional to the privileges of the user being targeted. For example, an administrator could be tricked into installing malicious code or granting excessive permissions. The blast radius is limited to the scope of actions available within the Enter Addons plugin itself, but this can still be significant depending on the plugin’s functionality and integration with other WordPress components. While no specific exploitation campaigns have been publicly reported, CSRF vulnerabilities are frequently exploited in targeted attacks.
CVE-2026-25014 was publicly disclosed on 2026-02-03. There are currently no publicly available proof-of-concept exploits. The vulnerability is not listed on the CISA KEV catalog at the time of writing. The CVSS score of 4.3 (MEDIUM) indicates a moderate risk, suggesting that exploitation is possible but not highly likely without significant effort.
WordPress websites using the themelooks Enter Addons plugin, particularly those running older versions (0.0.0–2.3.2), are at risk. Shared hosting environments where plugin updates are managed centrally are also vulnerable if they haven't been updated to the latest version. Administrators and users with elevated privileges within the Enter Addons plugin are at the highest risk.
• wordpress / composer / npm:
grep -r 'Enter Addons' /var/www/html/wp-content/plugins/
wp plugin list | grep Enter Addons• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=enteraddons_some_plugin_function&some_parameter=some_value | grep -i 'csrf token'disclosure
Estado del Exploit
EPSS
0.02% (4% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2026-25014 is to immediately upgrade the Enter Addons plugin to version 2.3.3 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) with CSRF protection rules. These rules can help block malicious requests by verifying the presence and validity of CSRF tokens. Additionally, ensure that users are educated about the risks of clicking on suspicious links or visiting untrusted websites, as this is a common attack vector for CSRF exploits. After upgrading, verify the plugin's functionality and security settings to ensure no unexpected behavior.
Actualizar a la versión 2.3.3 o una versión parcheada más reciente
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-25014 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the themelooks Enter Addons WordPress plugin, allowing attackers to perform unauthorized actions.
You are affected if you are using Enter Addons WordPress plugin versions 0.0.0 through 2.3.2. Upgrade to 2.3.3 or later to mitigate the risk.
Upgrade the Enter Addons plugin to version 2.3.3 or later. Consider implementing a WAF with CSRF protection as a temporary workaround.
There are currently no publicly reported active exploitation campaigns, but CSRF vulnerabilities are frequently targeted.
Refer to the themelooks official website or WordPress plugin repository for the latest advisory and update information.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.