CVE-2025-14447
Unknown Unknown - Not Provided

Unauthorized Data Modification in AnnunciFunebri Plugin via Missing Capability Check

Vulnerability report for CVE-2025-14447, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-13

Last updated on: 2026-04-08

Assigner: Wordfence

Description

The AnnunciFunebri Impresa plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the annfu_reset_options() function in all versions up to, and including, 4.7.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all 29 plugin options, effectively resetting the plugin to its default state.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-13
Last Modified
2026-04-08
Generated
2026-07-06
AI Q&A
2025-12-13
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wordpress annuncifunebri_impresa_plugin *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in the AnnunciFunebri Impresa WordPress plugin allows authenticated users with Subscriber-level access or higher to modify data without proper authorization. This happens because the annfu_reset_options() function lacks a capability check, enabling these users to delete all 29 plugin options and reset the plugin to its default state.

Impact Analysis

This vulnerability can impact you by allowing low-privileged authenticated users to reset the plugin's settings to default, potentially disrupting the plugin's intended functionality and causing loss of customized configurations.

Detection Guidance

This vulnerability can be detected by checking if the AnnunciFunebri Impresa WordPress plugin version is 4.7.0 or earlier and by monitoring for unauthorized calls to the annfu_reset_options() function, which resets plugin options. Since the vulnerability allows authenticated users with Subscriber-level access or above to reset plugin options, you can detect suspicious activity by auditing WordPress user actions or logs for unexpected option resets. Specific commands are not provided in the resources, but you can use WordPress CLI commands to check the plugin version, for example: `wp plugin get annuncifunebri-onoranza --field=version`. Additionally, monitoring HTTP requests to the plugin's endpoints or custom logs for calls to annfu_reset_options() could help detect exploitation attempts. [1, 3]

Mitigation Strategies

Immediate mitigation steps include updating the AnnunciFunebri Impresa plugin to a version later than 4.7.0 where the missing capability check on annfu_reset_options() is fixed. If an update is not immediately available, restrict or audit user roles to prevent Subscriber-level or higher users from accessing or triggering the vulnerable function. Additionally, monitor and restrict access to the plugin's reset functionality and consider implementing custom capability checks or temporary patches to block unauthorized option resets. [1, 3]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14447. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart