プラットフォーム
wordpress
コンポーネント
moderate-selected-posts
修正版
1.4.1
CVE-2025-14907 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Moderate Selected Posts plugin for WordPress. This flaw allows unauthenticated attackers to manipulate plugin settings by crafting malicious requests, potentially altering site behavior and functionality. The vulnerability impacts versions 1.0.0 through 1.4, and a patch is expected to be released by the plugin developer.
The core of this vulnerability lies in the lack of proper nonce verification within the mspadminpage() function. A CSRF attack exploits this by tricking a site administrator into unknowingly executing a malicious request. This could involve crafting a link or embedding a hidden form that, when accessed by an administrator, modifies the plugin's configuration. Potential impacts include unauthorized changes to post moderation rules, altered display settings, or even the injection of malicious code if the plugin handles user-supplied data in a vulnerable way. While the plugin itself doesn't directly handle sensitive data, modifications to its settings could indirectly impact other parts of the WordPress site.
This vulnerability was publicly disclosed on 2026-01-24. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Given the relatively low complexity of CSRF exploitation, it's reasonable to assume that attackers may develop and deploy exploits in the future.
WordPress sites utilizing the Moderate Selected Posts plugin, particularly those with administrative accounts that are frequently targeted by phishing or social engineering attacks, are at increased risk. Shared hosting environments where multiple WordPress sites share the same server resources are also more vulnerable, as a compromise on one site could potentially lead to attacks on others.
• wordpress / composer / npm:
grep -r 'msp_admin_page()' /var/www/html/wp-content/plugins/moderate-selected-posts/• wordpress / composer / npm:
wp plugin list --status=all | grep 'Moderate Selected Posts'• wordpress / composer / npm:
wp plugin update moderate-selected-postsdisclosure
エクスプロイト状況
EPSS
0.03% (8% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-14907 is to upgrade to a patched version of the Moderate Selected Posts plugin as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds. Web Application Firewalls (WAFs) configured to detect and block CSRF attacks can provide an additional layer of protection. Enforcing strict Content Security Policy (CSP) headers can also help mitigate the risk by restricting the sources from which the browser can load resources. Regularly review plugin settings and user permissions to identify any unauthorized changes.
既知の修正プログラムはありません。脆弱性の詳細を詳細に検討し、組織のリスク許容度に基づいて軽減策を実施してください。影響を受けるソフトウェアをアンインストールし、代替手段を見つけるのが最善かもしれません。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-14907 is a Cross-Site Request Forgery (CSRF) vulnerability affecting versions 1.0.0–1.4 of the Moderate Selected Posts WordPress plugin, allowing attackers to modify plugin settings via forged requests.
You are affected if your WordPress site uses the Moderate Selected Posts plugin in versions 1.0.0 through 1.4. Upgrade to a patched version as soon as available.
The recommended fix is to upgrade to a patched version of the Moderate Selected Posts plugin. Until a patch is released, consider WAF rules and CSP.
There are currently no confirmed reports of active exploitation, but the vulnerability's nature suggests potential for future attacks.
Check the Moderate Selected Posts plugin website or WordPress plugin repository for updates and security advisories related to CVE-2025-14907.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。