CVE-2025-14907
CSRF Vulnerability in WordPress Moderate Selected Posts Plugin
Publication date: 2026-01-24
Last updated on: 2026-01-24
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | moderate_selected_posts | to 1.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) issue in the Moderate Selected Posts WordPress plugin (versions up to and including 1.4). It occurs because the plugin's msp_admin_page() function lacks nonce verification, which is a security measure to confirm that requests are legitimate. As a result, an attacker can trick a site administrator into performing unintended actions, such as modifying plugin settings, by sending a forged request that the administrator unknowingly executes.
How can this vulnerability impact me? :
This vulnerability can allow an unauthenticated attacker to modify the settings of the Moderate Selected Posts plugin by tricking an administrator into clicking a malicious link or performing an action. This could lead to unauthorized changes in which posts have comment moderation enabled, potentially disrupting site moderation policies or enabling unwanted comments to appear without proper review.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a Cross-Site Request Forgery (CSRF) issue in the Moderate Selected Posts WordPress plugin due to missing nonce verification in the msp_admin_page() function. Detection involves monitoring for unauthorized changes to plugin settings or unusual POST requests to the plugin's admin page without proper nonce tokens. You can check WordPress logs for unexpected POST requests to the plugin's admin page URL or audit changes in the 'msp_options' stored in the WordPress options table. Specific commands to detect this might include: 1) Using WP-CLI to check the current plugin options: `wp option get msp_options` to see if unexpected changes occurred. 2) Using web server logs or tools like `grep` to find POST requests to the plugin admin page endpoint, e.g., `grep 'POST /wp-admin/admin.php?page=moderate-selected-posts' /var/log/apache2/access.log`. 3) Using network monitoring tools to detect suspicious requests that could be CSRF attempts. However, no explicit detection commands are provided in the resources. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Moderate Selected Posts plugin to a version later than 1.4 where the nonce verification issue is fixed. If an update is not yet available, restrict access to the plugin's admin page to trusted administrators only, and educate administrators to avoid clicking on suspicious links that could trigger forged requests. Additionally, implementing web application firewall (WAF) rules to block CSRF attempts and enabling security plugins that enforce nonce verification can help mitigate the risk. Since the vulnerability arises from missing nonce verification in the msp_admin_page() function, adding nonce checks in custom patches or disabling the plugin temporarily are also possible mitigations. [2]