プラットフォーム
wordpress
コンポーネント
doubledome-resource-link-library
修正版
1.5.1
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Resource Library for Logged In Users plugin for WordPress. This flaw allows unauthenticated attackers to potentially perform unauthorized actions on a WordPress site if they can trick an administrator into clicking a malicious link. The vulnerability affects versions 1.0.0 through 1.5, but has been resolved in version 1.6.
The CSRF vulnerability allows an attacker to execute actions as the currently logged-in administrator. This includes the creation, modification, and deletion of resources and categories within the Resource Library. Successful exploitation could lead to unauthorized content being added to the site, sensitive data being altered, or critical resources being removed, potentially disrupting site functionality or compromising data integrity. The impact is amplified if the administrator has broad permissions within the WordPress installation.
This vulnerability is publicly known and documented. While no active exploitation campaigns have been definitively linked to CVE-2025-14354 at the time of writing, the availability of CSRF exploitation techniques makes it a potential target. The vulnerability was disclosed on 2025-12-12. No KEV listing is currently available.
WordPress sites utilizing the Resource Library for Logged In Users plugin, particularly those with shared hosting environments or legacy configurations where administrators may be more susceptible to social engineering attacks, are at risk. Sites where administrators routinely click links from untrusted sources are also more vulnerable.
• wordpress / composer / npm:
grep -r 'wp_nonce_field' /var/www/html/wp-content/plugins/resource-library-for-logged-in-users/• generic web:
curl -I https://example.com/wp-admin/admin-post.php?action=resource_library_create_resource&resource_name=TestResource&resource_content=TestContent | grep -i 'referer'disclosure
エクスプロイト状況
EPSS
0.02% (5% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation is to upgrade the Resource Library for Logged In Users plugin to version 1.6 or later. If immediate upgrading is not possible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) with CSRF protection rules to filter out malicious requests. Additionally, educate administrators to be cautious of suspicious links and avoid clicking them while logged into WordPress. Regularly review WordPress user permissions to minimize the potential impact of a successful attack.
バージョン 1.6、またはそれ以降の修正バージョンにアップデートしてください
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-14354 is a Cross-Site Request Forgery (CSRF) vulnerability affecting versions 1.0.0–1.5 of the Resource Library for Logged In Users WordPress plugin, allowing unauthorized actions.
If you are using the Resource Library for Logged In Users plugin in WordPress versions 1.0.0 through 1.5, you are potentially affected by this vulnerability.
Upgrade the Resource Library for Logged In Users plugin to version 1.6 or later to resolve the CSRF vulnerability. Consider a WAF as a temporary mitigation.
While no confirmed active exploitation campaigns are currently known, the vulnerability's nature makes it a potential target.
Refer to the plugin developer's website or the WordPress plugin repository for the latest advisory and update information.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。