Description
The Animated Pixel Marquee Creator plugin for WordPress is vulnerable to Cross-Site Request Forgery via the 'marquee' parameter in all versions up to, and including, 1.0.0. This is due to missing nonce validation on the marquee deletion function. This makes it possible for unauthenticated attackers to delete arbitrary marquees via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-12-12
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Deletion of Marquee Content
Action: Update Plugin
AI Analysis

Impact

The plugin’s marquee deletion endpoint lacks nonce validation, allowing a Cross‑Site Request Forgery attack. An unauthenticated adversary can create a forged request that, when triggered by a site administrator—such as clicking a malicious link—removes any marquee from the site. This flaw gives the attacker control over content deletion without direct site access.

Affected Systems

Any WordPress installation running tekafran’s Animated Pixel Marquee Creator version 1.0.0 or earlier is affected. The vulnerability targets the marquees_list.php deletion functionality exposed to all users with administrative privileges.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate risk; the EPSS score of < 1% suggests exploitation is unlikely in the wild, and the vulnerability is not yet catalogued in CISA KEV. Attackers would need to trick a site administrator into visiting a crafted URL to exploit the flaw, making it a CSRF‑based attack with a high prerequisite of social engineering.

Generated by OpenCVE AI on April 20, 2026 at 21:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Animated Pixel Marquee Creator to a version that implements nonce validation for marquee deletion
  • Disable or remove the plugin if an upgrade is not yet available
  • Implement a site‑wide CSRF filter or WAF rule that blocks unauthorized delete requests to /admin/marquees_list.php

Generated by OpenCVE AI on April 20, 2026 at 21:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Dec 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 12 Dec 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Animated Pixel Marquee Creator plugin for WordPress is vulnerable to Cross-Site Request Forgery via the 'marquee' parameter in all versions up to, and including, 1.0.0. This is due to missing nonce validation on the marquee deletion function. This makes it possible for unauthenticated attackers to delete arbitrary marquees via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Animated Pixel Marquee Creator <= 1.0.0 - Cross-Site Request Forgery via 'marquee' Parameter
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:21:21.424Z

Reserved: 2025-12-04T20:06:50.535Z

Link: CVE-2025-14062

cve-icon Vulnrichment

Updated: 2025-12-12T16:22:01.500Z

cve-icon NVD

Status : Deferred

Published: 2025-12-12T04:15:46.883

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14062

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:30:18Z

Weaknesses