CVE-2025-14390
📋 TL;DR
This CSRF vulnerability in the Video Merchant WordPress plugin allows unauthenticated attackers to upload arbitrary files by tricking administrators into clicking malicious links. Successful exploitation can lead to remote code execution on affected WordPress sites. All WordPress installations using Video Merchant plugin version 5.0.4 or earlier are vulnerable.
💻 Affected Systems
- Video Merchant WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise via remote code execution, allowing attackers to install backdoors, steal data, deface websites, or use the server for further attacks.
Likely Case
Attackers upload web shells or malicious scripts to gain persistent access, then escalate privileges to compromise the entire WordPress installation and potentially the underlying server.
If Mitigated
Attack fails due to proper CSRF protections, user awareness training, or network segmentation limiting the impact of successful exploitation.
🎯 Exploit Status
Exploitation requires social engineering to trick administrators, but the technical execution is straightforward once the user interacts with the malicious content.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.0.5 or later
Vendor Advisory: https://wordpress.org/plugins/video-merchant
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Video Merchant plugin. 4. Click 'Update Now' if update available. 5. If no update appears, manually download version 5.0.5+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Disable Video Merchant Plugin
allTemporarily deactivate the vulnerable plugin until patched
wp plugin deactivate video-merchant
Add CSRF Protection Manually
allAdd nonce validation to video_merchant_add_video_file() function
🧯 If You Can't Patch
- Implement strict file upload restrictions via .htaccess or web server configuration
- Use web application firewall (WAF) rules to block suspicious file uploads and CSRF attempts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Video Merchant → Version number. If version is 5.0.4 or lower, you are vulnerable.Check Version:
wp plugin get video-merchant --field=versionVerify Fix Applied:
After updating, verify Video Merchant plugin version shows 5.0.5 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to wp-content/uploads/video-merchant/
- POST requests to admin-ajax.php with action=video_merchant_add_video_file without proper nonce
- Multiple failed upload attempts from same IP
Network Indicators:
- HTTP POST requests containing file uploads to WordPress admin endpoints from unauthenticated sources
- Suspicious referrer headers in admin area requests
SIEM Query:
source="wordpress.log" AND ("video_merchant_add_video_file" OR "/wp-admin/admin-ajax.php") AND NOT "_wpnonce="