CVE-2025-14903
CSRF Vulnerability in Simple Crypto Shortcodes Plugin Allows Settings Modification
Publication date: 2026-01-24
Last updated on: 2026-01-24
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | simple_crypto_shortcodes | to 1.0.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Simple Crypto Shortcodes WordPress plugin (up to version 1.0.2) is a Cross-Site Request Forgery (CSRF) issue caused by missing nonce validation on the scs_backend function. This allows unauthenticated attackers to update the plugin settings by tricking a site administrator into performing an action, such as clicking a malicious link, which then executes the forged request.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to change the plugin settings without authorization by exploiting the administrator's session. Although it does not directly compromise data confidentiality or availability, it can lead to unauthorized changes in plugin configuration, potentially affecting the website's behavior or security posture.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the Simple Crypto Shortcodes plugin to a version later than 1.0.2 where the nonce validation issue is fixed. Until an update is available, restrict access to the plugin's admin interface to trusted administrators only and avoid clicking on suspicious links that could trigger forged requests.