平台
wordpress
组件
yml-for-yandex-market
修复版本
5.0.26
5.0.26
CVE-2025-14545 is a Remote Code Execution (RCE) vulnerability affecting the YML for Yandex Market plugin for WordPress. This vulnerability allows authenticated attackers, specifically those with Shop Manager-level access or higher, to execute arbitrary code on the server. The vulnerability impacts versions of the plugin up to and including 5.0.26. A patch has been released in version 5.0.26.
Successful exploitation of CVE-2025-14545 could allow an attacker to gain complete control over the WordPress server hosting the vulnerable plugin. This could lead to data breaches, website defacement, malware installation, and further compromise of the entire network. The attacker's ability to execute arbitrary code means they can perform virtually any action they desire on the server, including accessing sensitive data, modifying configurations, and installing backdoors for persistent access. The impact is particularly severe given the widespread use of WordPress and the potential for large-scale compromise if the vulnerability is exploited.
CVE-2025-14545 was publicly disclosed on 2026-03-19. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The EPSS score is pending evaluation. It is recommended to prioritize patching due to the RCE nature of the vulnerability.
Websites using the YML for Yandex Market plugin, particularly those with multiple users and poorly configured user roles, are at risk. Shared hosting environments where plugin updates are not managed centrally are also at increased risk, as are sites with legacy WordPress installations that may be difficult to update quickly.
• wordpress / composer / npm:
grep -r 'shop_manager' /var/www/html/wp-content/plugins/yml-for-yandex-market/• wordpress / composer / npm:
wp plugin list --status=active | grep 'yml-for-yandex-market'• wordpress / composer / npm:
wp plugin update yml-for-yandex-market --version=5.0.26disclosure
漏洞利用状态
EPSS
0.10% (28% 百分位)
CVSS 向量
The primary mitigation for CVE-2025-14545 is to immediately upgrade the YML for Yandex Market plugin to version 5.0.26 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider restricting access to the plugin's administrative interface to only trusted users. While not a complete solution, this can limit the potential attack surface. Review user roles and permissions to ensure that only necessary privileges are granted. Monitor WordPress logs for any suspicious activity related to the plugin, such as unexpected code execution attempts.
更新到 5.0.26 版本,或更新的补丁版本
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-14545 is a Remote Code Execution vulnerability in the YML for Yandex Market WordPress plugin, allowing authenticated attackers to execute code on the server.
You are affected if you are using YML for Yandex Market version 5.0.26 or earlier. Upgrade to 5.0.26 to resolve the issue.
Upgrade the YML for Yandex Market plugin to version 5.0.26 or later through the WordPress plugin manager or via WP-CLI.
As of now, there are no confirmed reports of active exploitation, but the RCE nature warrants immediate patching.
Check the YML for Yandex Market plugin page on WordPress.org for updates and security advisories.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。