CVE-2025-14447
Unknown Unknown - Not Provided
Unauthorized Data Modification in AnnunciFunebri Plugin via Missing Capability Check

Publication date: 2025-12-13

Last updated on: 2026-04-08

Assigner: Wordfence

Description
The AnnunciFunebri Impresa plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the annfu_reset_options() function in all versions up to, and including, 4.7.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all 29 plugin options, effectively resetting the plugin to its default state.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-13
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2025-12-13
EPSS Evaluated
2026-06-14
NVD
CVE-2025-14447
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordpress annuncifunebri_impresa_plugin *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by checking if the AnnunciFunebri Impresa WordPress plugin version is 4.7.0 or earlier and by monitoring for unauthorized calls to the annfu_reset_options() function, which resets plugin options. Since the vulnerability allows authenticated users with Subscriber-level access or above to reset plugin options, you can detect suspicious activity by auditing WordPress user actions or logs for unexpected option resets. Specific commands are not provided in the resources, but you can use WordPress CLI commands to check the plugin version, for example: `wp plugin get annuncifunebri-onoranza --field=version`. Additionally, monitoring HTTP requests to the plugin's endpoints or custom logs for calls to annfu_reset_options() could help detect exploitation attempts. [1, 3]

Mitigation Strategies

Immediate mitigation steps include updating the AnnunciFunebri Impresa plugin to a version later than 4.7.0 where the missing capability check on annfu_reset_options() is fixed. If an update is not immediately available, restrict or audit user roles to prevent Subscriber-level or higher users from accessing or triggering the vulnerable function. Additionally, monitor and restrict access to the plugin's reset functionality and consider implementing custom capability checks or temporary patches to block unauthorized option resets. [1, 3]

Executive Summary

The vulnerability in the AnnunciFunebri Impresa WordPress plugin allows authenticated users with Subscriber-level access or higher to modify data without proper authorization. This happens because the annfu_reset_options() function lacks a capability check, enabling these users to delete all 29 plugin options and reset the plugin to its default state.

Impact Analysis

This vulnerability can impact you by allowing low-privileged authenticated users to reset the plugin's settings to default, potentially disrupting the plugin's intended functionality and causing loss of customized configurations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14447. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart