CVE-2025-14390 is a vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) affecting the Video Merchant plugin for WordPress, specifically versions up to and including 5.0.4. The root cause is the absence or incorrect implementation of nonce validation in the video_merchant_add_video_file() function, which is responsible for handling video file uploads. Nonces in WordPress serve as security tokens to verify the legitimacy of requests and prevent CSRF attacks. Without proper nonce validation, attackers can craft malicious HTTP requests that, when executed by an authenticated administrator (via social engineering such as clicking a link), allow the upload of arbitrary files. These files can include web shells or other malicious scripts, enabling remote code execution (RCE) on the hosting server. The vulnerability is remotely exploitable without authentication but requires user interaction (clicking a malicious link). The CVSS v3.1 score of 8.8 reflects the high impact on confidentiality, integrity, and availability, combined with low attack complexity and no privileges required. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk to WordPress sites using this plugin, especially those handling sensitive data or critical business functions. The lack of a patch link suggests that a fix may not yet be publicly available, increasing urgency for temporary mitigations or monitoring.

The impact of CVE-2025-14390 is severe for organizations using the Video Merchant WordPress plugin. Successful exploitation allows attackers to upload arbitrary files, including malicious scripts, leading to remote code execution on the web server. This can result in full system compromise, data theft, defacement, or use of the server as a pivot point for further attacks. Confidentiality is at risk as attackers can access sensitive customer and business data. Integrity is compromised through unauthorized modification or deletion of files. Availability may be affected if attackers disrupt services or deploy ransomware. The attack requires tricking an administrator, so organizations with less security awareness or inadequate phishing defenses are more vulnerable. E-commerce sites using this plugin may face financial losses, reputational damage, and regulatory penalties. The broad use of WordPress globally means many organizations could be affected, especially small to medium businesses that rely on plugins for functionality but may lack robust security controls.

To mitigate CVE-2025-14390, organizations should immediately verify if they use the Video Merchant plugin version 5.0.4 or earlier and upgrade to a patched version once available. In the absence of an official patch, implement the following specific measures: 1) Manually audit and enforce nonce validation in the video_merchant_add_video_file() function to ensure requests are properly authenticated. 2) Restrict file upload types and implement server-side validation to block dangerous file extensions and MIME types. 3) Harden web server configurations to prevent execution of uploaded files in upload directories (e.g., disable PHP execution). 4) Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious upload attempts and CSRF patterns. 5) Educate administrators about phishing and social engineering risks to reduce the chance of clicking malicious links. 6) Monitor logs for unusual file uploads or administrative actions. 7) Limit administrative access to trusted networks and use multi-factor authentication to reduce risk. These targeted actions go beyond generic advice and address the specific attack vectors of this vulnerability.