CVE-2025-14904
CSRF Vulnerability in WordPress Newsletter Email Subscribe Plugin
Publication date: 2026-01-07
Last updated on: 2026-01-07
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| newsletter_email_subscribe | newsletter_email_subscribe | to 2.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) issue in the Newsletter Email Subscribe plugin for WordPress, affecting versions up to and including 2.4. It occurs because of incorrect nonce validation in the nels_settings_page function, allowing unauthenticated attackers to update plugin settings if they can trick a site administrator into performing an action like clicking a malicious link.
How can this vulnerability impact me? :
An attacker could exploit this vulnerability to change the plugin settings without authorization by tricking an administrator into clicking a crafted link. This could lead to unauthorized configuration changes, potentially affecting the functionality or security of the website.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the Newsletter Email Subscribe plugin for WordPress to a version later than 2.4 where the nonce validation issue is fixed. Additionally, avoid clicking on suspicious links and ensure site administrators are aware of the risk of Cross-Site Request Forgery attacks.