Description
The MDirector Newsletter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.8. This is due to missing nonce verification on the mdirectorNewsletterSave function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-02-14
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery enabling unauthorized plugin configuration changes
Action: Update Plugin
AI Analysis

Impact

The MDirector Newsletter WordPress plugin contains a Cross‑Site Request Forgery vulnerability in all releases up to and including 4.5.8. The flaw arises from the mdirectorNewsletterSave function lacking a nonce check, which allows an unauthenticated attacker to forge a request that changes the plugin’s settings when a site administrator unknowingly submits the request. Altering these settings can redirect email campaigns, enable spam, or affect other administrative functions, compromising the integrity of the WordPress site.

Affected Systems

The vulnerability affects the MDirector Newsletter WordPress plugin developed by antevenio. All versions from the initial release through 4.5.8 are impacted. Neither the 4.5.9 release nor any newer versions contain the fix.

Risk and Exploitability

With a CVSS score of 4.3 the vulnerability is considered moderate; the EPSS score of less than 1 % indicates a low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a social‑engineering scenario in which an attacker tricks a site administrator into clicking a crafted link that submits the forged request using the victim’s authenticated session.

Generated by OpenCVE AI on April 21, 2026 at 16:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the MDirector Newsletter plugin to the latest version (4.5.9 or newer).
  • If an upgrade is not immediately possible, limit access to the plugin’s settings page to a narrow set of trusted administrator accounts and monitor for unexpected changes.
  • Deploy a WordPress security plugin that adds CSRF protection to administrative actions, or otherwise enforce a valid nonce on all plugin‑related POST requests.

Generated by OpenCVE AI on April 21, 2026 at 16:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Tue, 17 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Antevenio
Antevenio mdirector Newsletter
Wordpress
Wordpress wordpress
Vendors & Products Antevenio
Antevenio mdirector Newsletter
Wordpress
Wordpress wordpress

Sat, 14 Feb 2026 06:45:00 +0000

Type Values Removed Values Added
Description The MDirector Newsletter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.8. This is due to missing nonce verification on the mdirectorNewsletterSave function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title MDirector Newsletter <= 4.5.8 - Cross-Site Request Forgery to Plugin Settings Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Antevenio Mdirector Newsletter
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:11:20.787Z

Reserved: 2025-12-17T20:26:26.949Z

Link: CVE-2025-14852

cve-icon Vulnrichment

Updated: 2026-02-17T15:36:42.462Z

cve-icon NVD

Status : Deferred

Published: 2026-02-14T07:16:06.433

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14852

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T16:15:40Z

Weaknesses