WordPress Plugin Vulnerabilities

MDirector Newsletter < 4.5.9 - Cross-Site Request Forgery to Plugin Settings Update

Description

The MDirector Newsletter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.8. This is due to missing nonce verification on the mdirectorNewsletterSave function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
mdirector-newsletter
Fixed in 4.5.9

References

CVE
CVE-2025-14852
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/9be389b4-0f76-4f58-806e-dfba531934ea

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
afnaan
Verified
No
WPVDB ID
cf7c6ce4-ba62-4030-9dbc-95ad35da880a

Timeline

Publicly Published
2026-02-13 (about 3 months ago)
Added
2026-02-13 (about 3 months ago)
Last Updated
2026-02-24 (about 3 months ago)

Other

Published
Title
Published
2021-06-21
Title
Staff Directory < 4.0 - Cross-Site Request Forgery (CSRF)
Published
2025-01-16
Title
Secure CAPTCHA <= 1.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2023-12-28
Title
Dynamic Content for Elementor < 2.12.5 - Cross-Site Request Forgery
Published
2025-04-09
Title
Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2023-12-27
Title
Apollo13 Framework Extensions < 1.9.2 - Cross-Site Request Forgery