Cross-Site Request Forgery in BMLT WordPress Plugin by WordPress
CVE-2025-14162

4.3MEDIUM

Key Information:

Vendor

WordPress
Status
Bmlt WordPress Plugin
Vendor
CVE Published:
12 December 2025

What is CVE-2025-14162?

The BMLT WordPress Plugin is susceptible to Cross-Site Request Forgery attacks. This vulnerability stems from a lack of nonce validation on actions such as 'BMLTPlugin_create_option' and 'BMLTPlugin_delete_option'. As a result, this flaw allows unauthenticated attackers to potentially alter plugin settings by tricking an administrator into performing unintended actions, such as clicking on malicious links. Website administrators are urged to assess their installations and apply necessary security measures to protect against this vulnerability.

Affected Version(s)

BMLT WordPress Plugin * <= 3.11.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/bmlt-wordpress...
https://plugins.trac.wordpress.org/browser/bmlt-wordpress...

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Muhammad Nur Ibnu Hubab
JSON
.