CVE-2025-14468— AMP for WP – Accelerated Mobile Pages <= 1.1.9 - Cross-Site Request Forgery to Comment Submission
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-14468
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
AMP for WP – Accelerated Mobile Pages <= 1.1.9 - Cross-Site Request Forgery to Comment Submission
Source: NVD (National Vulnerability Database)
Vulnerability Description
The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.9. This is due to inverted nonce verification logic in the amp_theme_ajaxcomments AJAX handler, which rejects requests with VALID nonces and accepts requests with MISSING or INVALID nonces. This makes it possible for unauthenticated attackers to submit comments on behalf of logged-in users via a forged request granted they can trick a user into performing an action such as clicking on a link, and the plugin's template mode is enabled.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
跨站请求伪造(CSRF)
Source: NVD (National Vulnerability Database)
Vulnerability Title
WordPress plugin AMP for WP – Accelerated Mobile Pages 跨站请求伪造漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台具有在基于PHP和MySQL的服务器上架设个人博客网站的功能。WordPress plugin是一个应用插件。 WordPress plugin AMP for WP – Accelerated Mobile Pages 1.1.9及之前版本存在跨站请求伪造漏洞,该漏洞源于amp_theme_ajaxcomments AJAX处理程序中的随机数验证逻辑倒置,可
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| mohammed_kaludi | AMP for WP – Accelerated Mobile Pages | * ~ 1.1.9 | - |
II. Public POCs for CVE-2025-14468
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-14468
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: AMP for WP – Accelerated Mobile Pages
- CVE-2026-0627
AMP for WP <= 1.1.10 - Authenticated (Contributor+) Stored C - CVE-2024-11254
AMP for WP – Accelerated Mobile Pages <= 1.1.1 - Reflected C - CVE-2024-9598
AMP for WP – Accelerated Mobile Pages <= 1.0.99.1 - Cross-Si - CVE-2024-6896
AMP for WP – Accelerated Mobile Pages <= 1.0.96.1 - Authenti - CVE-2024-1043
AMP for WP <= 1.0.93.1 - Authenticated(Contributor+) Arbitra
Same vendor: mohammed_kaludi
- CVE-2026-0627
AMP for WP <= 1.1.10 - Authenticated (Contributor+) Stored C - CVE-2024-11254
AMP for WP – Accelerated Mobile Pages <= 1.1.1 - Reflected C - CVE-2024-9598
AMP for WP – Accelerated Mobile Pages <= 1.0.99.1 - Cross-Si - CVE-2024-6896
AMP for WP – Accelerated Mobile Pages <= 1.0.96.1 - Authenti - CVE-2024-1043
AMP for WP <= 1.0.93.1 - Authenticated(Contributor+) Arbitra
Same weakness: CWE-352
- CVE-2021-47953
OpenCart 3.0.3.7 Cross-Site Request Forgery via account/pass - CVE-2021-47946
OpenCart 3.0.36 Account Takeover via Cross Site Request Forg - CVE-2022-50955
WordPress Plugin Curtain 1.0.2 Cross-site Request Forgery - CVE-2026-8194
osTicket Dispatcher class.dispatcher.php cross-site request - CVE-2026-42286
Emlog: Cross-Site Request Forgery in Admin Functions
V. Comments for CVE-2025-14468
No comments yet