CVE-2025-14462
CSRF Vulnerability in Lucky Draw Contests WordPress Plugin
Publication date: 2025-12-13
Last updated on: 2025-12-13
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | luckydraw_contests_plugin | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Lucky Draw Contests plugin for WordPress has a Cross-Site Request Forgery (CSRF) vulnerability in all versions up to and including 4.2. This occurs because of missing or incorrect nonce validation in the misc-settings.php file. An attacker can exploit this by tricking a site administrator into performing an action, such as clicking a malicious link, which allows the attacker to update the plugin settings without authentication.
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated attacker to change the plugin settings by tricking an administrator into executing a forged request. This could lead to unauthorized changes in the plugin configuration, potentially affecting the website's behavior or security.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the Lucky Draw Contests plugin for WordPress to a version later than 4.2 where the nonce validation issue in misc-settings.php is fixed. Additionally, avoid clicking on suspicious links and ensure that site administrators are aware of the risk of Cross-Site Request Forgery attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to update plugin settings via forged requests, potentially altering configurations related to GDPR and Terms & Conditions pages. Since the plugin handles GDPR-related settings, exploitation could lead to misconfiguration or manipulation of compliance-related options, which may impact adherence to standards like GDPR. However, the provided information does not explicitly detail the direct compliance impact or any data breach consequences related to HIPAA or other regulations. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the WordPress site is running the Lucky Draw Contests plugin version 4.2 or earlier and by verifying if the misc-settings.php file is vulnerable due to missing or incorrect nonce validation. Since the vulnerability involves a POST request to update plugin settings without proper nonce validation, you can detect attempts by monitoring HTTP POST requests to the plugin's settings endpoint that lack a valid nonce. For detection on the system, you can look for the presence of the vulnerable plugin version by running commands to list installed WordPress plugins and their versions. For example, using WP-CLI: `wp plugin list --format=json` and checking for 'luckydraw_contests_plugin' version 4.2 or below. To detect suspicious POST requests, you can use web server logs or network monitoring tools to filter POST requests to URLs containing 'misc-settings.php' or related plugin paths. Example command to search web server logs for POST requests to misc-settings.php: `grep 'POST .*misc-settings.php' /var/log/apache2/access.log` or for nginx: `grep 'POST .*misc-settings.php' /var/log/nginx/access.log`. Additionally, monitoring for requests missing the expected 'Lucky_Draw_Nonce' parameter in POST data could indicate exploitation attempts, but this requires deeper log inspection or web application firewall rules. However, no specific detection commands are provided in the resources. [2]