CVE-2025-14447 is a vulnerability identified in the AnnunciFunebri Impresa plugin for WordPress, affecting all versions up to and including 4.7.0. The root cause is a missing authorization check (CWE-862) in the annfu_reset_options() function, which allows any authenticated user with at least Subscriber-level privileges to invoke this function and delete all 29 plugin options. This action effectively resets the plugin to its default state, potentially undoing custom configurations set by administrators or site owners. The vulnerability does not require elevated privileges beyond Subscriber, nor does it require user interaction, making it relatively easy to exploit in environments where user registration is open or where Subscriber accounts exist. The impact is primarily on data integrity, as the plugin’s configuration can be maliciously or accidentally reset, which could disrupt normal plugin operation or expose the site to further risks if default settings are less secure. The CVSS v3.1 score is 5.3 (medium), reflecting the network attack vector, low attack complexity, no privileges required, and no user interaction needed. No patches or exploit code are currently publicly available, and no known exploits have been reported in the wild. The vulnerability was published on December 13, 2025, and assigned by Wordfence. Organizations using this plugin should be aware of the risk and prepare to apply fixes or implement access controls.

For European organizations, this vulnerability can lead to unauthorized resetting of plugin configurations, potentially disrupting business operations relying on the AnnunciFunebri Impresa plugin. Since the plugin is related to funeral announcements, improper configuration resets could cause misinformation, loss of critical data, or service interruptions affecting customer trust and compliance with local regulations on data accuracy and service reliability. The ease of exploitation by low-privilege users increases risk in environments where user registration is not tightly controlled. While the vulnerability does not directly compromise confidentiality or availability, the integrity impact could cascade into broader operational issues or facilitate further attacks if default settings are insecure. Organizations with multiple WordPress sites or those using this plugin in public-facing portals are particularly at risk. The absence of known exploits reduces immediate threat but does not eliminate the risk of future exploitation.

1. Immediately restrict Subscriber-level user registrations or review and limit the number of users with Subscriber or higher roles to trusted personnel only. 2. Monitor plugin option changes and audit logs for unexpected resets or configuration changes. 3. Apply patches or updates from the vendor as soon as they become available; if no patch is available, consider temporarily disabling the plugin or replacing it with a secure alternative. 4. Implement web application firewalls (WAF) with rules to detect and block unauthorized calls to the annfu_reset_options() function. 5. Harden WordPress installations by enforcing strong user role management and employing multi-factor authentication for all users with elevated privileges. 6. Regularly back up plugin configurations and site data to enable quick restoration if unauthorized resets occur. 7. Educate site administrators about the risks of low-privilege user exploitation and encourage vigilance in user account management.