Description
The Resource Library for Logged In Users plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing nonce validation on multiple administrative functions. This makes it possible for unauthenticated attackers to perform various unauthorized actions including creating, editing, and deleting resources and categories via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-12-12
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery due to missing nonce validation on several administrative functions of the Resource Library for Logged In Users plugin. An attacker can forge a request that, when a legitimate site administrator clicks a link or performs a similar action, will create, edit, or delete resources and categories. Because these changes affect site content and structure, the impact is to tamper with the site’s integrity and availability for administrators and users.

Affected Systems

WordPress sites running the Doubledome Resource Library for Logged In Users plugin version 1.5 or earlier are affected. The plugin is provided by the vendor doubledome.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity, and the EPSS score of less than 1% suggests exploitation is unlikely but possible. The vulnerability is listed as not in CISA KEV, so no known active exploitation is reported. Exploitation typically requires social engineering to get an established administrator to submit a crafted request while authenticated. No additional technical prerequisites beyond the plugin’s missing nonce have been identified, so the attack vector is primarily indirect phishing or malicious link usage.

Generated by OpenCVE AI on April 21, 2026 at 17:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Doubledome Resource Library for Logged In Users plugin to the latest version where nonce validation is implemented
  • If the plugin is no longer required, disable or uninstall it to eliminate the risk surface
  • Consider adding a security plugin that enforces nonce checks or restricts administrative actions to trusted users
  • Regularly review and audit user permissions and monitor administrative activity logs for suspicious changes

Generated by OpenCVE AI on April 21, 2026 at 17:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description The Resource Library for Logged In Users plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing nonce validation on multiple administrative functions. This makes it possible for unauthenticated attackers to perform various unauthorized actions including creating, editing, and deleting resources and categories via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The Resource Library for Logged In Users plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing nonce validation on multiple administrative functions. This makes it possible for unauthenticated attackers to perform various unauthorized actions including creating, editing, and deleting resources and categories via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Resource Library for Logged In Users <= 1.4 - Cross-Site Request Forgery to Multiple Administrative Actions Resource Library for Logged In Users <= 1.5 - Cross-Site Request Forgery to Multiple Administrative Actions
References

Mon, 15 Dec 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Dec 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 12 Dec 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Resource Library for Logged In Users plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing nonce validation on multiple administrative functions. This makes it possible for unauthenticated attackers to perform various unauthorized actions including creating, editing, and deleting resources and categories via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Resource Library for Logged In Users <= 1.4 - Cross-Site Request Forgery to Multiple Administrative Actions
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:00:38.149Z

Reserved: 2025-12-09T16:28:40.743Z

Link: CVE-2025-14354

cve-icon Vulnrichment

Updated: 2025-12-12T21:03:02.365Z

cve-icon NVD

Status : Deferred

Published: 2025-12-12T04:15:49.757

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14354

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:30:37Z

Weaknesses