Description
The Simple Theme Changer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-12-12
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized configuration changes via CSRF
Action: Patch Now
AI Analysis

Impact

The Simple Theme Changer plugin for WordPress lacks proper nonce validation in its configuration interface, allowing a cross‑site request forgery attack. An unauthenticated attacker can craft a forged request that, when a site administrator unknowingly clicks a link or visits a malicious page, updates the plugin’s settings. This can alter theme selection, deactivate or enable other plugin features, or otherwise modify site appearance and behavior without the admin’s knowledge.

Affected Systems

WordPress sites that have the Darendev Simple Theme Changer plugin installed with version 1.0 or earlier are affected. Any site administrator who accesses the plugin’s settings through a forged request is at risk.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate impact, and the EPSS score of less than 1% suggests a low likelihood of exploitation under normal conditions. The vulnerability is not listed in CISA’s KEV catalog. The exploitation path requires the attacker to obtain a forged request and trick an administrator into executing it, making the attack vector an admin‑interaction CSRF scenario. While the probability is low, the impact to configuration integrity warrants prompt action.

Generated by OpenCVE AI on April 20, 2026 at 21:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Simple Theme Changer plugin to the latest version where nonce validation has been implemented.
  • Temporarily restrict or disable the plugin’s settings page for all but the most privileged administrators until the patch is applied.
  • Use a security plugin or scanner to verify that all other plugins and WordPress core functions perform proper nonce checks, and enforce site‑wide CSRF protection measures.

Generated by OpenCVE AI on April 20, 2026 at 21:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Dec 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Dec 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 12 Dec 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Simple Theme Changer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Simple Theme Changer <= 1.0 - Cross-Site Request Forgery to Arbitrary Theme Switcher Configuration Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:31:59.368Z

Reserved: 2025-12-09T21:05:19.695Z

Link: CVE-2025-14391

cve-icon Vulnrichment

Updated: 2025-12-18T20:37:56.489Z

cve-icon NVD

Status : Deferred

Published: 2025-12-12T04:15:49.940

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14391

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:30:18Z

Weaknesses