Description
The LEAV Last Email Address Validator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions <= 1.7.1. This is due to missing or incorrect nonce validation on the display_settings_page function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-01-16
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery permitting unauthorized plugin configuration changes
Action: Apply Patch
AI Analysis

Impact

The LEAV Last Email Address Validator plugin for WordPress contains a flaw in the display_settings_page function where nonce verification is missing or incorrect. This defect enables a Cross‑Site Request Forgery attack, allowing an unauthenticated user to trick an administrator into submitting a forged request that changes plugin settings. The resulting compromise can alter configuration parameters without authorization, potentially impacting site behavior and user data handling.

Affected Systems

This vulnerability affects the LEAV Last Email Address Validator plugin, version 1.7.1 and earlier, used on WordPress installations. If the plugin is present and enabled, any site where administrators log in may be exposed.

Risk and Exploitability

The CVSS score is 4.3, indicating moderate impact. The EPSS score is below 1%, suggesting a low likelihood of exploitation in current data. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is that an unauthenticated attacker sends a crafted link to a site administrator, who upon clicking would trigger the CSRF and update settings; no authentication or authorization checks are present, making the exploit straightforward when an admin is lured.

Generated by OpenCVE AI on April 21, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update LEAV Last Email Address Validator to the latest released version (1.7.2 or later) where nonce validation is corrected.
  • If an update is not possible, disable or remove the plugin to eliminate the vulnerable surface.
  • Enforce robust CSRF protection for all admin pages and ensure administrators verify external links before clicking to reduce the chance of a crafted request being executed.

Generated by OpenCVE AI on April 21, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 16 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Smings
Smings leav Last Email Address Validator
Wordpress
Wordpress wordpress
Vendors & Products Smings
Smings leav Last Email Address Validator
Wordpress
Wordpress wordpress
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 16 Jan 2026 07:00:00 +0000

Type Values Removed Values Added
Description The LEAV Last Email Address Validator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions <= 1.7.1. This is due to missing or incorrect nonce validation on the display_settings_page function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title LEAV Last Email Address Validator <= 1.7.1 - Cross-Site Request Forgery to Plugin Settings Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Smings Leav Last Email Address Validator
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:09:46.375Z

Reserved: 2025-12-17T20:29:58.227Z

Link: CVE-2025-14853

cve-icon Vulnrichment

Updated: 2026-01-16T13:56:47.350Z

cve-icon NVD

Status : Deferred

Published: 2026-01-16T07:15:56.063

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14853

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T16:30:40Z

Weaknesses