Escanear grátis
MEDIUMCVE-2025-14162CVSS 4.3

Plugin BMLT WordPress <= 3.11.4 - Cross-Site Request Forgery para Criação e Exclusão de Configurações

Plataforma

wordpress

Componente

bmlt-wordpress-satellite-plugin

Corrigido em

3.11.5

3.11.5

AI Confidence: highNVDEPSS 0.0%Revisado: mai. de 2026
Ver no NVD
Salvar
Traduzindo para o seu idioma…

A Cross-Site Request Forgery (CSRF) vulnerability exists in the BMLT WordPress Satellite plugin for WordPress. This flaw, present in versions up to and including 3.11.4, stems from insufficient nonce validation during the creation and deletion of plugin options. Successful exploitation allows unauthenticated attackers to manipulate plugin settings by tricking a site administrator into performing malicious actions.

WordPress

Detecte esta CVE no seu projeto

Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.

Escanear grátis

Impacto e Cenários de Ataquetraduzindo…

The primary impact of this CSRF vulnerability is the ability for an attacker to modify the BMLT WordPress Satellite plugin's configuration without authentication. By crafting malicious links or forms, an attacker can induce a site administrator to unknowingly execute actions that create or delete plugin options. This could lead to unauthorized changes in plugin behavior, potentially impacting site functionality or exposing sensitive data. While the direct data at risk is limited to plugin-specific settings, the ability to alter plugin behavior could have broader consequences depending on the plugin's functionality and integration with other site components. This vulnerability shares similarities with other CSRF exploits where user interaction is required to trigger the malicious action.

Contexto de Exploraçãotraduzindo…

CVE-2025-14162 was publicly disclosed on December 11, 2025. There is no indication of this vulnerability being actively exploited in the wild at this time. The EPSS score is likely to be low to medium, given the requirement for user interaction (tricking an administrator) and the relatively limited scope of potential impact. No public proof-of-concept exploits have been identified as of the disclosure date.

Quem Está em Riscotraduzindo…

WordPress websites utilizing the BMLT WordPress Satellite plugin, particularly those with administrator accounts that are not adequately protected with strong passwords and multi-factor authentication, are at risk. Shared hosting environments where multiple websites share the same server resources are also potentially vulnerable, as a compromise of one site could potentially impact others.

Passos de Detecçãotraduzindo…

• wordpress / composer / npm:

grep -r 'BMLTPlugin_create_option' /var/www/html/wp-content/plugins/

• wordpress / composer / npm:

wp plugin list | grep BMLT

• wordpress / composer / npm:

wp plugin update --all

• generic web: Check for suspicious URLs containing plugin-specific parameters in access logs. • generic web: Inspect HTTP requests for unexpected POST requests targeting plugin endpoints.

Linha do Tempo do Ataque

  1. Disclosure

    disclosure

Inteligência de Ameaças

Status do Exploit

Prova de ConceitoDesconhecido
CISA KEVNO
Exposição na InternetAlta

EPSS

0.02% (percentil 3%)

CISA SSVC

Exploraçãonone
Automatizávelno
Impacto Técnicopartial

Vetor CVSS

INTELIGÊNCIA DE AMEAÇAS· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N4.3MEDIUMAttack VectorNetworkComo o atacante alcança o alvoAttack ComplexityLowCondições necessárias para explorarPrivileges RequiredNoneNível de autenticação necessárioUser InteractionRequiredSe a vítima precisa tomar uma açãoScopeUnchangedImpacto além do componente afetadoConfidentialityNoneRisco de exposição de dados sensíveisIntegrityLowRisco de modificação não autorizada de dadosAvailabilityNoneRisco de interrupção de serviçonextguardhq.com · Pontuação Base CVSS v3.1
O que significam essas métricas?
Attack Vector
Rede — explorável remotamente pela internet. Sem acesso físico ou local necessário.
Attack Complexity
Baixa — sem condições especiais. O atacante pode explorar de forma confiável.
Privileges Required
Nenhum — sem autenticação necessária para explorar.
User Interaction
Necessária — a vítima deve abrir um arquivo, clicar em um link ou visitar uma página.
Scope
Inalterado — impacto limitado ao componente vulnerável.
Confidentiality
Nenhum — sem impacto na confidencialidade.
Integrity
Baixo — o atacante pode modificar alguns dados com alcance limitado.
Availability
Nenhum — sem impacto na disponibilidade.

Software Afetado

Componentebmlt-wordpress-satellite-plugin
Fornecedorwordfence
Faixa afetadaCorrigido em
0.0.0 – 3.11.43.11.5
3.11.43.11.5

Informações do pacote

Instalações ativas
100
Avaliação do plugin
5.0
Requer WordPress
6.2+
Compatível até
6.9.4
Requer PHP
8.1+
Site

Classificação de Fraqueza (CWE)

CWE-352

Linha do tempo

  1. Reservado
  2. Publicada
  3. Modificada
  4. EPSS atualizado
Sem correção — 164 dias desde a divulgação

Mitigação e Soluções Alternativastraduzindo…

The recommended mitigation is to immediately upgrade the BMLT WordPress Satellite plugin to a version newer than 3.11.4, where the vulnerability has been addressed. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) with CSRF protection rules to filter out malicious requests. Additionally, ensure that all administrator accounts have strong, unique passwords and that multi-factor authentication is enabled. Regularly review plugin settings for any unauthorized modifications. There are no specific Sigma or YARA rules readily available for this particular vulnerability, but generic CSRF detection rules can be applied.

Como corrigir

Nenhum patch conhecido disponível. Por favor, revise os detalhes da vulnerabilidade em profundidade e implemente mitigações com base na tolerância ao risco da sua organização. Pode ser melhor desinstalar o software afetado e encontrar um substituto.

Boletim de Segurança CVE

Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.

Perguntas frequentestraduzindo…

What is CVE-2025-14162 — CSRF in BMLT WordPress Satellite?

CVE-2025-14162 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the BMLT WordPress Satellite plugin versions up to 3.11.4, allowing attackers to manipulate plugin settings.

Am I affected by CVE-2025-14162 in BMLT WordPress Satellite?

You are affected if your WordPress site uses the BMLT WordPress Satellite plugin version 3.11.4 or earlier. Upgrade to a patched version to resolve the vulnerability.

How do I fix CVE-2025-14162 in BMLT WordPress Satellite?

Upgrade the BMLT WordPress Satellite plugin to a version newer than 3.11.4. Consider implementing a WAF and enabling multi-factor authentication for administrator accounts as interim measures.

Is CVE-2025-14162 being actively exploited?

As of December 11, 2025, there is no public evidence of CVE-2025-14162 being actively exploited in the wild.

Where can I find the official BMLT WordPress Satellite advisory for CVE-2025-14162?

Refer to the BMLT WordPress Satellite plugin's official website or WordPress plugin repository for the latest advisory and update information.

Seu projeto está afetado?

Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.

Escanear grátisBuscar CVEs