CVE-2025-14447 identifies a missing authorization vulnerability (CWE-862) in the AnnunciFunebri Impresa plugin for WordPress, developed by pcantoni. The flaw exists in the annfu_reset_options() function, which lacks a capability check to verify if the user has permission to reset plugin options. This allows any authenticated user with Subscriber-level privileges or higher to invoke this function and delete all 29 plugin options, resetting the plugin to its default configuration. Since WordPress Subscriber roles are typically assigned to minimally privileged users, this vulnerability significantly lowers the attack barrier. The vulnerability affects all versions up to and including 4.7.0 of the plugin. The CVSS 3.1 base score is 5.3 (medium), with an attack vector of network (remote), low attack complexity, no privileges required beyond authentication, no user interaction, and an impact limited to integrity (modification of data). The vulnerability does not affect confidentiality or availability directly. No public exploits have been reported yet, and no patches are currently linked, indicating that users must monitor vendor updates closely. The vulnerability could be leveraged to disrupt plugin configurations, potentially causing operational issues or loss of customized settings on affected WordPress sites.

For European organizations, this vulnerability poses a risk primarily to the integrity of website data managed by the AnnunciFunebri Impresa plugin. Unauthorized resetting of plugin options can disrupt business operations, especially for companies in the funeral services sector relying on this plugin for critical announcements or service management. While it does not directly compromise confidentiality or availability, the loss of configuration can lead to downtime or degraded service quality, impacting customer trust and operational efficiency. Organizations with multiple users having Subscriber or higher roles are at increased risk, as attackers could exploit compromised or low-privilege accounts to trigger the reset. The impact is more pronounced in sectors where the plugin is widely used, and where website reliability is critical for business continuity. Additionally, the lack of known exploits suggests a window of opportunity for attackers before patches are widely deployed.

To mitigate this vulnerability, organizations should immediately audit user roles and permissions on WordPress sites using the AnnunciFunebri Impresa plugin, ensuring that Subscriber-level accounts are tightly controlled and monitored. Restrict plugin management capabilities to trusted users only. Until an official patch is released, consider implementing web application firewall (WAF) rules to detect and block calls to the annfu_reset_options() function from unauthorized users. Employ monitoring and alerting on unusual plugin option resets or configuration changes. Regularly back up plugin configurations and website data to enable quick restoration if unauthorized resets occur. Engage with the plugin vendor or community to obtain or contribute to a patch that adds proper authorization checks. Finally, educate site administrators about the risks of excessive privilege assignments and encourage the principle of least privilege.