Plataforma
wordpress
Componente
mdirector-newsletter
Corrigido em
4.5.9
CVE-2025-14852 identifies a Cross-Site Request Forgery (CSRF) vulnerability affecting the MDirector Newsletter WordPress plugin. This flaw allows unauthenticated attackers to manipulate plugin settings if they can convince a site administrator to perform a malicious action. The vulnerability impacts versions from 0.0.0 through 4.5.8, and a patch is available in version 4.5.9.
The CSRF vulnerability in the MDirector Newsletter plugin allows an attacker to execute unauthorized actions on a WordPress site with administrator privileges. By crafting a malicious link or form, an attacker can trick a logged-in administrator into unknowingly modifying the plugin's configuration. This could involve changing email settings, updating API keys, or altering other critical plugin parameters. Successful exploitation could lead to unauthorized data access, spam campaigns originating from the site, or even complete control over the plugin's behavior. The impact is amplified if the plugin is used for sensitive communications or data processing.
CVE-2025-14852 was publicly disclosed on 2026-02-14. There are currently no known public proof-of-concept exploits available. The vulnerability's CVSS score of 4.3 (MEDIUM) suggests a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog. Attackers could leverage this vulnerability in targeted attacks against WordPress sites using the MDirector Newsletter plugin.
WordPress sites utilizing the MDirector Newsletter plugin, particularly those with administrator accounts that frequently click on links or interact with external websites, are at risk. Shared hosting environments where multiple websites share the same server resources are also more vulnerable, as an attacker could potentially exploit the vulnerability on one site to gain access to others.
• wordpress / composer / npm:
grep -r 'mdirectorNewsletterSave' /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list | grep mdirector• wordpress / composer / npm:
wp plugin update mdirector-newsletterdisclosure
Status do Exploit
EPSS
0.03% (percentil 6%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-14852 is to immediately upgrade the MDirector Newsletter plugin to version 4.5.9 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These could include restricting access to the plugin's settings page to specific administrator accounts, or implementing a Web Application Firewall (WAF) rule to block suspicious requests targeting the mdirectorNewsletterSave function. Verify the upgrade by attempting to access the plugin's settings page and confirming that the nonce verification is now in place, preventing unauthorized modifications.
Atualize para a versão 4.5.9, ou uma versão corrigida mais recente
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-14852 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the MDirector Newsletter WordPress plugin, allowing attackers to manipulate plugin settings if an administrator clicks a malicious link.
You are affected if you are using MDirector Newsletter WordPress plugin versions 0.0.0 through 4.5.8. Upgrade to 4.5.9 to mitigate the risk.
Upgrade the MDirector Newsletter plugin to version 4.5.9 or later. As a temporary workaround, restrict access to the plugin's settings page or implement a WAF rule.
There are currently no confirmed reports of active exploitation, but the vulnerability's CVSS score indicates a moderate risk.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.