CVE-2025-14390 - Vulnerability Details

- Video Merchant <= 5.0.4 - Cross-Site Request Forgery to Arbitrary File Upload

Description

The Video Merchant plugin for WordPress is vulnerable to Cross-Site Request Forgery in version <= 5.0.4. This is due to missing or incorrect nonce validation on the video_merchant_add_video_file() function. This makes it possible for unauthenticated attackers to upload arbitrary files that make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published: 2025-12-10

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Video Merchant WordPress plugin allows unauthenticated attackers to craft forged requests that bypass nonce validation in the video_merchant_add_video_file() function, permitting them to upload arbitrary files. When such files are executed, an attacker can achieve remote code execution. The weakness is a file‑upload flaw (CWE‑434). This grants full compromise of affected sites if the uploaded content can be executed by the server.

Affected Systems

All installations of the Video Merchant plugin for WordPress with version 5.0.4 or earlier are vulnerable. The flaw exists in the plugin code that handles file uploading, and no fixed version is listed in the supplied data.

Risk and Exploitability

The CVSS score of 8.8 signals a high‑severity flaw. The EPSS value of less than 1% indicates that real‑world exploitation is currently rare, likely because the attack requires a user to unknowingly click a malicious link prompting an admin to perform an action. The flaw is not listed in the CISA Known Exploited Vulnerabilities catalog, further suggesting low active exploitation. However, if an attacker can trick an administrator, the impact is severe due to remote code execution.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

videomerchant

Video Merchant

unaffected

Version	Status	Constraints
`0`	affected	≤ 5.0.4

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Video Merchant plugin to a version newer than 5.0.4, which contains the missing nonce check.
If an immediate update is not possible, restrict the file‑upload capability to trusted users only or temporarily disable it.
Apply the vendor’s patch for the nonce validation flaw or replace the vulnerable function with a secure implementation.
Use additional WordPress security measures such as WAF rules or strict CSRF protections to mitigate future similar attacks.

Generated by OpenCVE AI on April 21, 2026 at 17:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00149.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://wordpress.org/plugins/video-merchant
https://www.wordfence.com/threat-intel/vulnerabilities/id/7cbe39ae-d10b-432f-afab-682948de2521?source=cve

History

Wed, 10 Dec 2025 18:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress
Vendors & Products		Wordpress Wordpress wordpress

Wed, 10 Dec 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 10 Dec 2025 09:30:00 +0000

Type	Values Removed	Values Added
Description		The Video Merchant plugin for WordPress is vulnerable to Cross-Site Request Forgery in version <= 5.0.4. This is due to missing or incorrect nonce validation on the video_merchant_add_video_file() function. This makes it possible for unauthenticated attackers to upload arbitrary files that make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title		Video Merchant <= 5.0.4 - Cross-Site Request Forgery to Arbitrary File Upload
Weaknesses		CWE-434
References		https://wordpress.org/plugins/video-merchant https://www.wordfence.com/threat-intel/vulnerabilities/id/7cbe39ae-d10b-432f-afab-682948de2521?source=cve
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}`

Subscriptions

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-12-10T09:23:56.285Z

Updated: 2026-04-08T17:02:44.103Z

Reserved: 2025-12-09T20:50:49.004Z

Link: CVE-2025-14390

Vulnrichment

Updated: 2025-12-10T16:55:39.739Z

NVD

Status : Deferred

Published: 2025-12-10T10:16:01.823

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14390

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T17:45:16Z

Weaknesses

CWE-434

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object