CVE-2025-22814

High

Published: 09 January 2025

Published

09 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0014 32.9th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Cross-Site Request Forgery (CSRF) vulnerability in Dylan James Zephyr Admin Theme zephyr-modern-admin-theme allows Cross Site Request Forgery.This issue affects Zephyr Admin Theme: from n/a through <= 1.4.1.

Security Summary

CVE-2025-22814 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Zephyr Modern Admin Theme (zephyr-modern-admin-theme) WordPress plugin developed by Dylan James. The issue affects all versions of the plugin up to and including 1.4.1, enabling attackers to perform unauthorized actions on behalf of authenticated users.

With a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), the vulnerability can be exploited remotely by unauthenticated attackers with low complexity. Exploitation requires user interaction, typically tricking an authenticated administrator into visiting a malicious webpage or clicking a forged link, which submits unauthorized requests and results in low impacts to confidentiality, integrity, and availability, with a changed scope.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/zephyr-modern-admin-theme/vulnerability/wordpress-zephyr-admin-theme-plugin-1-4-1-csrf-to-stored-xss-vulnerability?_s_id=cve) describes this as a CSRF-to-stored XSS vulnerability in version 1.4.1 and provides details on mitigation, which security practitioners should consult for patching or workaround guidance.

Details

CWE(s): CWE-352

References

https://patchstack.com/database/Wordpress/Plugin/zephyr-modern-admin-theme/vulnerability/wordpress-zephyr-admin-theme-plugin-1-4-1-csrf-to-stored-xss-vulnerability?_s_id=cve
audit@patchstack.com