CVE-2025-14846

SocialChamp with WordPress <= 1.3.5 - Cross-Site Request Forgery to Plugin Settings Update

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
1.3.6
Patched in
43d
Time to patch

Description

The SocialChamp with WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.5. This is due to missing nonce validation on the wpsc_settings_tab_menu function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.3.5
PublishedJanuary 13, 2026
Last updatedFebruary 25, 2026

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2025-14846 (SocialChamp CSRF) ## 1. Vulnerability Summary The **SocialChamp with WordPress** plugin (versions <= 1.3.5) is vulnerable to **Cross-Site Request Forgery (CSRF)**. The vulnerability exists because the function `wpsc_settings_tab_menu` (likely responsibl…

Show full research plan

Exploitation Research Plan: CVE-2025-14846 (SocialChamp CSRF)

1. Vulnerability Summary

The SocialChamp with WordPress plugin (versions <= 1.3.5) is vulnerable to Cross-Site Request Forgery (CSRF). The vulnerability exists because the function wpsc_settings_tab_menu (likely responsible for both rendering the settings page and processing its form submissions) fails to perform nonce validation using check_admin_referer() or wp_verify_nonce(). This allows an attacker to modify the plugin's configuration (e.g., API keys, default posting settings) by tricking a logged-in administrator into visiting a malicious webpage.

2. Attack Vector Analysis

  • Vulnerable Endpoint: /wp-admin/admin.php?page=social-champ-settings (The slug social-champ-settings is inferred from the plugin name and standard conventions).
  • Vulnerable Function: wpsc_settings_tab_menu
  • HTTP Method: POST
  • Authentication Requirement: Authenticated Administrator (to bypass current_user_can checks, which are typically present even when nonces are missing).
  • Payload Carry: The payload is carried in the POST body as standard form fields (e.g., wpsc_api_key, wpsc_api_secret).
  • Preconditions: The plugin must be installed and active. The victim must be a logged-in administrator.

3. Code Flow

  1. Registration: The plugin registers a settings page using add_menu_page or add_submenu_page, designating wpsc_settings_tab_menu as the callback function.
  2. Entry Point: When the administrator visits the settings page or submits the settings form, WordPress executes wpsc_settings_tab_menu.
  3. Sink (Processing): Inside wpsc_settings_tab_menu, the code likely contains a block similar to:
    if ( isset( $_POST['wpsc_save_settings'] ) ) { // Inferred parameter
        update_option( 'wpsc_api_key', sanitize_text_field( $_POST['wpsc_api_key'] ) );
        // ... other settings ...
    }
    
  4. The Flaw: There is no call to check_admin_referer() or wp_verify_nonce() before the update_option calls. While it might check current_user_can( 'manage_options' ), this check is inherently satisfied when an admin's browser processes a CSRF request.

4. Nonce Acquisition Strategy

No nonce is required.
The essence of CVE-2025-14846 is the total absence of nonce validation in the wpsc_settings_tab_menu function. To exploit this:

  1. The attacker does not need to obtain a nonce.
  2. The attacker simply omits any nonce parameters or provides arbitrary values.
  3. If the plugin's form happens to include a nonce field for show, the backend logic ignores it, allowing the forged request to proceed.

5. Exploitation Strategy

The goal is to overwrite the SocialChamp API settings with attacker-controlled values.

Step 1: Discover Parameters

Navigate to the settings page as an admin and identify the exact POST parameter names and the menu slug.

  • Action: Use browser_navigate to wp-admin/admin.php?page=social-champ-settings (or the correct slug found via wp menu list).
  • Action: Use browser_eval to extract input names:
    browser_eval("Array.from(document.querySelectorAll('input[name]')).map(i => i.name)")

Step 2: Forge the CSRF Request

Once parameters are identified (assuming wpsc_api_key and wpsc_save_settings for this plan), construct a POST request.

  • Tool: http_request
  • URL: http://localhost:8080/wp-admin/admin.php?page=social-champ-settings
  • Method: POST
  • Headers:
    • Content-Type: application/x-www-form-urlencoded
    • Cookie: [Admin Session Cookies]
  • Body:
    wpsc_api_key=ATTACKER_API_KEY&wpsc_save_settings=1 (Exact keys must be verified in Step 1).

6. Test Data Setup

  1. Plugin Installation: Ensure auto-post-to-social-media-wp-to-social-champ version 1.3.5 is installed.
  2. Admin User: Have an active admin session available for the http_request tool.
  3. Initial State: (Optional) Set a dummy value for the settings first:
    wp option update wpsc_api_key "original_legit_key"

7. Expected Results

  • HTTP Response: A 302 Redirect back to the settings page or a 200 OK with a "Settings Saved" message in the HTML.
  • Internal State: The WordPress database option wpsc_api_key (or equivalent) should now contain ATTACKER_API_KEY.

8. Verification Steps

After the http_request is sent, verify the change via WP-CLI:

  1. Check Options:
    wp option get wpsc_api_key
  2. Compare: Confirm the output matches ATTACKER_API_KEY.

9. Alternative Approaches

If the settings are not processed in wpsc_settings_tab_menu directly but via admin-post.php:

  • Endpoint: wp-admin/admin-post.php
  • Payload: Include action=wpsc_save_settings (or similar) in the POST body.
  • Validation: Check for the absence of _wpnonce verification in the function hooked to admin_post_wpsc_save_settings.

If the parameters are JSON-encoded (unlikely for a standard settings page):

  • Content-Type: application/json
  • Body: {"wpsc_api_key": "ATTACKER_API_KEY"}

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.