平台
wordpress
组件
bmlt-wordpress-satellite-plugin
修复版本
3.11.5
3.11.5
A Cross-Site Request Forgery (CSRF) vulnerability exists in the BMLT WordPress Satellite plugin for WordPress. This flaw, present in versions up to and including 3.11.4, stems from insufficient nonce validation during the creation and deletion of plugin options. Successful exploitation allows unauthenticated attackers to manipulate plugin settings by tricking a site administrator into performing malicious actions.
The primary impact of this CSRF vulnerability is the ability for an attacker to modify the BMLT WordPress Satellite plugin's configuration without authentication. By crafting malicious links or forms, an attacker can induce a site administrator to unknowingly execute actions that create or delete plugin options. This could lead to unauthorized changes in plugin behavior, potentially impacting site functionality or exposing sensitive data. While the direct data at risk is limited to plugin-specific settings, the ability to alter plugin behavior could have broader consequences depending on the plugin's functionality and integration with other site components. This vulnerability shares similarities with other CSRF exploits where user interaction is required to trigger the malicious action.
CVE-2025-14162 was publicly disclosed on December 11, 2025. There is no indication of this vulnerability being actively exploited in the wild at this time. The EPSS score is likely to be low to medium, given the requirement for user interaction (tricking an administrator) and the relatively limited scope of potential impact. No public proof-of-concept exploits have been identified as of the disclosure date.
WordPress websites utilizing the BMLT WordPress Satellite plugin, particularly those with administrator accounts that are not adequately protected with strong passwords and multi-factor authentication, are at risk. Shared hosting environments where multiple websites share the same server resources are also potentially vulnerable, as a compromise of one site could potentially impact others.
• wordpress / composer / npm:
grep -r 'BMLTPlugin_create_option' /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list | grep BMLT• wordpress / composer / npm:
wp plugin update --all• generic web: Check for suspicious URLs containing plugin-specific parameters in access logs. • generic web: Inspect HTTP requests for unexpected POST requests targeting plugin endpoints.
disclosure
漏洞利用状态
EPSS
0.02% (3% 百分位)
CISA SSVC
CVSS 向量
The recommended mitigation is to immediately upgrade the BMLT WordPress Satellite plugin to a version newer than 3.11.4, where the vulnerability has been addressed. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) with CSRF protection rules to filter out malicious requests. Additionally, ensure that all administrator accounts have strong, unique passwords and that multi-factor authentication is enabled. Regularly review plugin settings for any unauthorized modifications. There are no specific Sigma or YARA rules readily available for this particular vulnerability, but generic CSRF detection rules can be applied.
没有已知的补丁可用。请深入审查漏洞的详细信息,并根据您组织的风险承受能力采取缓解措施。最好卸载受影响的软件并寻找替代方案。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-14162 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the BMLT WordPress Satellite plugin versions up to 3.11.4, allowing attackers to manipulate plugin settings.
You are affected if your WordPress site uses the BMLT WordPress Satellite plugin version 3.11.4 or earlier. Upgrade to a patched version to resolve the vulnerability.
Upgrade the BMLT WordPress Satellite plugin to a version newer than 3.11.4. Consider implementing a WAF and enabling multi-factor authentication for administrator accounts as interim measures.
As of December 11, 2025, there is no public evidence of CVE-2025-14162 being actively exploited in the wild.
Refer to the BMLT WordPress Satellite plugin's official website or WordPress plugin repository for the latest advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。