Description
The SocialChamp with WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.5. This is due to missing nonce validation on the wpsc_settings_tab_menu function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-01-14
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Configuration Modification via Cross‑Site Request Forgery
Action: Update Plugin
AI Analysis

Impact

The SocialChamp plugin for WordPress contains a missing nonce check in the wpsc_settings_tab_menu function, enabling attackers to forge authenticated requests. A forged request can alter plugin settings on a site where an administrator is logged in, potentially redirecting social media postings or changing connected accounts. This flaw violates integrity by allowing unauthenticated users to modify configuration controls. The impact is limited to the plugin’s functionality and could result in unintended content posts or misconfigured social media feeds.

Affected Systems

The vulnerability affects the SocialChamp Auto Post to Social Media from Social Champ plugin, all releases up to and including version 1.3.5. End‑users running any WordPress version with the plugin installed are potentially impacted if they are administrators or other privileged roles.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity. The EPSS score of < 1% reflects a very low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. Exploitation requires social‑engineering: an attacker must convince an authenticated administrator to click a malicious link that submits a forged POST request containing parameters to the plugin’s settings endpoint. No additional access or privilege escalation is required beyond the victim’s authenticated session.

Generated by OpenCVE AI on April 21, 2026 at 00:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the SocialChamp plugin to the latest version, which adds proper nonce validation to the settings update handler.
  • If an update is not immediately available, temporarily disable or uninstall the plugin until a patch is released to prevent accidental configuration changes.
  • Configure a web‑application firewall or similar filtering rule to reject POST requests to the plugin’s settings endpoints that lack the expected nonce value, ensuring CSRF protection is enforced at the application layer.

Generated by OpenCVE AI on April 21, 2026 at 00:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description The SocialChamp with WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.3. This is due to missing nonce validation on the wpsc_settings_tab_menu function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The SocialChamp with WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.5. This is due to missing nonce validation on the wpsc_settings_tab_menu function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title SocialChamp with WordPress <= 1.3.3 - Cross-Site Request Forgery to Plugin Settings Update SocialChamp with WordPress <= 1.3.5 - Cross-Site Request Forgery to Plugin Settings Update
References

Thu, 15 Jan 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Socialchampio
Socialchampio socialchamp With Wordpress
Wordpress
Wordpress wordpress
Vendors & Products Socialchampio
Socialchampio socialchamp With Wordpress
Wordpress
Wordpress wordpress

Wed, 14 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 07:00:00 +0000

Type Values Removed Values Added
Description The SocialChamp with WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.3. This is due to missing nonce validation on the wpsc_settings_tab_menu function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title SocialChamp with WordPress <= 1.3.3 - Cross-Site Request Forgery to Plugin Settings Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Socialchampio Socialchamp With Wordpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:19:00.415Z

Reserved: 2025-12-17T18:55:54.282Z

Link: CVE-2025-14846

cve-icon Vulnrichment

Updated: 2026-01-14T20:27:57.743Z

cve-icon NVD

Status : Deferred

Published: 2026-01-14T07:16:13.680

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14846

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:30:22Z

Weaknesses