CVE-2025-14852

MEDIUM

MDirector Newsletter <4.5.8 - CSRF

Title source: llm

Description

The MDirector Newsletter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.8. This is due to missing nonce verification on the mdirectorNewsletterSave function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

References (3)

Scores

CVSS v3 4.3
EPSS 0.0002
EPSS Percentile 5.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Classification

CWE
CWE-352
Status draft

Timeline

Published Feb 14, 2026
Tracked Since Feb 18, 2026