CVE-2025-14367 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Easy Theme Options plugin developed by corsonr for WordPress. The issue exists in all versions up to and including 1.0 due to the eto_import_settings function lacking proper authorization checks. This function processes the 'eto_import_settings' parameter, which allows importing plugin settings. Because authorization is missing, any authenticated user with at least Subscriber-level privileges can invoke this function to import arbitrary settings, potentially altering the plugin's configuration without proper permission. The vulnerability does not require elevated privileges beyond Subscriber, no user interaction, and can be exploited remotely over the network. The CVSS v3.1 base score is 5.3 (medium severity), reflecting that while confidentiality and availability are unaffected, integrity can be compromised. No patches or known exploits are currently reported, but the risk lies in unauthorized configuration changes that could lead to further security issues or site misbehavior. The vulnerability is particularly relevant for WordPress sites using this plugin, which may be targeted by attackers seeking to manipulate site behavior or escalate privileges indirectly.

For European organizations, the impact primarily concerns the integrity of WordPress sites using the Easy Theme Options plugin. Unauthorized import of plugin settings can lead to misconfiguration, potentially enabling further exploitation or disrupting site functionality. While confidentiality and availability are not directly affected, integrity compromises can undermine trust in the affected websites and may facilitate subsequent attacks such as privilege escalation or injection of malicious code through manipulated settings. Organizations relying on WordPress for public-facing websites, e-commerce, or internal portals could face reputational damage and operational disruptions. The medium severity score indicates a moderate risk that should not be ignored, especially in sectors with high regulatory requirements for website integrity and security, such as finance, healthcare, and government. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once the vulnerability becomes widely known.

1. Immediately restrict access to the Easy Theme Options plugin settings to trusted administrators only, ensuring Subscriber-level users cannot access or invoke import functions. 2. Monitor user roles and permissions regularly to detect any unauthorized privilege escalations or suspicious activities related to plugin settings. 3. Implement web application firewalls (WAF) rules to detect and block requests containing the 'eto_import_settings' parameter from unauthorized users. 4. Keep WordPress core and all plugins updated; apply patches from the vendor as soon as they are released for this vulnerability. 5. Conduct regular security audits and penetration testing focusing on plugin configurations and authorization controls. 6. Educate site administrators about the risks of granting unnecessary permissions to low-privilege users. 7. Consider disabling or replacing the Easy Theme Options plugin if it is not essential or if no timely patch is available. 8. Use logging and alerting mechanisms to track changes to plugin settings and investigate anomalies promptly.