The vulnerability identified as CVE-2025-14447 affects the AnnunciFunebri Impresa plugin for WordPress, developed by pcantoni, in all versions up to and including 4.7.0. The root cause is a missing authorization check (CWE-862) in the annfu_reset_options() function. This function is responsible for resetting the plugin's configuration by deleting all 29 plugin options stored in the WordPress database. Due to the lack of capability verification, any authenticated user with Subscriber-level access or higher can invoke this function and reset the plugin settings without proper permissions. The vulnerability does not require elevated privileges beyond basic authentication, nor does it require user interaction beyond logging in. The CVSS v3.1 base score is 5.3 (medium), reflecting the ease of exploitation over the network without privileges but limited impact to integrity only, with no confidentiality or availability effects. While no public exploits are known, the vulnerability could be leveraged by attackers to disrupt site functionality or prepare for further attacks by resetting plugin configurations. The absence of a patch link indicates that a fix may not yet be publicly available, emphasizing the need for mitigation strategies.

The primary impact of this vulnerability is unauthorized modification of plugin configuration, which can lead to loss of customized settings and potential disruption of the plugin's intended functionality on affected WordPress sites. For organizations relying on the AnnunciFunebri Impresa plugin, this could result in degraded user experience, loss of critical business data related to funeral announcements, or operational interruptions. Although the vulnerability does not directly compromise confidentiality or availability, resetting plugin options could be used as a stepping stone for further attacks or to cause confusion and administrative overhead. Since exploitation requires only Subscriber-level access, attackers who gain low-level credentials—through phishing, credential stuffing, or other means—can exploit this flaw. This broadens the attack surface and increases risk, especially for sites with multiple users or weak access controls. The lack of known exploits reduces immediate risk but does not eliminate the potential for future attacks.

To mitigate this vulnerability, organizations should first check for updates from the plugin vendor and apply any available patches promptly once released. In the absence of an official patch, administrators can implement the following specific measures: 1) Restrict Subscriber-level user accounts by reviewing and minimizing user roles and permissions, ensuring that only trusted users have authenticated access. 2) Employ WordPress security plugins or custom code to add capability checks around the annfu_reset_options() function, preventing unauthorized calls. 3) Monitor logs for unusual activity related to plugin option resets or unexpected changes in plugin behavior. 4) Implement multi-factor authentication (MFA) for all user accounts to reduce the risk of credential compromise. 5) Regularly back up WordPress configurations and plugin settings to enable quick restoration if unauthorized resets occur. 6) Consider temporarily disabling or removing the AnnunciFunebri Impresa plugin if it is not critical until a patch is available. These targeted actions go beyond generic advice by focusing on controlling access and monitoring the specific vulnerable function.