CVE-2025-14465
CSRF Vulnerability in Sticky Action Buttons WordPress Plugin
Publication date: 2026-01-07
Last updated on: 2026-01-07
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| praveen_tamil | sticky_action_buttons | to 1.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) issue in the Sticky Action Buttons WordPress plugin (up to version 1.1). It occurs because the plugin's sabs_options_page_form_submit() function lacks proper nonce validation, allowing unauthenticated attackers to trick an administrator into submitting a forged request that updates the plugin's settings without their consent. [1]
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can cause unauthorized changes to the plugin's settings by tricking an administrator into performing an action, such as clicking a malicious link. This could lead to altered plugin behavior or configuration without the administrator's knowledge, potentially impacting website functionality or security. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the Sticky Action Buttons plugin version 1.1 or earlier is installed and active on your WordPress site. Since the vulnerability is due to missing or incorrect nonce validation in the sabs_options_page_form_submit() function, you can audit plugin files for this function's nonce validation. Additionally, monitoring for unexpected POST requests to the plugin's admin options page that change settings without proper authentication could indicate exploitation attempts. Specific commands are not provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Sticky Action Buttons plugin to a version later than 1.1 once available, or if no update is available, disabling or uninstalling the plugin to prevent exploitation. Additionally, ensure that only trusted administrators have access to the WordPress admin area and educate administrators to avoid clicking on suspicious links that could trigger forged requests. [1]