平台
wordpress
组件
doubledome-resource-link-library
修复版本
1.5.1
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Resource Library for Logged In Users plugin for WordPress. This flaw allows unauthenticated attackers to potentially perform unauthorized actions on a WordPress site if they can trick an administrator into clicking a malicious link. The vulnerability affects versions 1.0.0 through 1.5, but has been resolved in version 1.6.
The CSRF vulnerability allows an attacker to execute actions as the currently logged-in administrator. This includes the creation, modification, and deletion of resources and categories within the Resource Library. Successful exploitation could lead to unauthorized content being added to the site, sensitive data being altered, or critical resources being removed, potentially disrupting site functionality or compromising data integrity. The impact is amplified if the administrator has broad permissions within the WordPress installation.
This vulnerability is publicly known and documented. While no active exploitation campaigns have been definitively linked to CVE-2025-14354 at the time of writing, the availability of CSRF exploitation techniques makes it a potential target. The vulnerability was disclosed on 2025-12-12. No KEV listing is currently available.
WordPress sites utilizing the Resource Library for Logged In Users plugin, particularly those with shared hosting environments or legacy configurations where administrators may be more susceptible to social engineering attacks, are at risk. Sites where administrators routinely click links from untrusted sources are also more vulnerable.
• wordpress / composer / npm:
grep -r 'wp_nonce_field' /var/www/html/wp-content/plugins/resource-library-for-logged-in-users/• generic web:
curl -I https://example.com/wp-admin/admin-post.php?action=resource_library_create_resource&resource_name=TestResource&resource_content=TestContent | grep -i 'referer'disclosure
漏洞利用状态
EPSS
0.02% (5% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation is to upgrade the Resource Library for Logged In Users plugin to version 1.6 or later. If immediate upgrading is not possible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) with CSRF protection rules to filter out malicious requests. Additionally, educate administrators to be cautious of suspicious links and avoid clicking them while logged into WordPress. Regularly review WordPress user permissions to minimize the potential impact of a successful attack.
更新到 1.6 版本,或更新的修复版本
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-14354 is a Cross-Site Request Forgery (CSRF) vulnerability affecting versions 1.0.0–1.5 of the Resource Library for Logged In Users WordPress plugin, allowing unauthorized actions.
If you are using the Resource Library for Logged In Users plugin in WordPress versions 1.0.0 through 1.5, you are potentially affected by this vulnerability.
Upgrade the Resource Library for Logged In Users plugin to version 1.6 or later to resolve the CSRF vulnerability. Consider a WAF as a temporary mitigation.
While no confirmed active exploitation campaigns are currently known, the vulnerability's nature makes it a potential target.
Refer to the plugin developer's website or the WordPress plugin repository for the latest advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。