CVE-2025-14616 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the Recooty – Job Widget (Old Dashboard) plugin for WordPress, affecting all versions up to and including 1.0.6. The root cause is the absence of nonce validation in the recooty_save_maybe() function, which is responsible for saving plugin options. Nonce validation is a security mechanism to ensure that requests are intentionally made by authenticated users and not forged by attackers. Due to this missing validation, an attacker can craft a malicious request that, when executed by a logged-in site administrator (via clicking a link or visiting a malicious page), causes the plugin to update the recooty_key option. This update can be leveraged to inject malicious content into iframe src attributes, potentially enabling content injection attacks such as embedding malicious iframes or redirecting users to harmful sites. The vulnerability does not require the attacker to be authenticated but does require the victim administrator's interaction, making social engineering a key exploitation vector. The CVSS v3.1 score of 4.3 reflects that the attack vector is network-based, with low attack complexity, no privileges required, but requiring user interaction. The impact affects integrity but not confidentiality or availability. No patches are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability was reserved in December 2025 and published in January 2026. The plugin is used primarily in WordPress environments that utilize the Recooty job widget for embedding job postings.

For European organizations, this vulnerability poses a moderate risk primarily to websites using the affected Recooty plugin version. Successful exploitation can lead to unauthorized modification of plugin settings and injection of malicious iframe content, which could be used to redirect visitors to malicious sites, conduct phishing attacks, or deliver malware. While the vulnerability does not directly compromise sensitive data confidentiality or availability, the integrity compromise can damage organizational reputation, lead to user trust erosion, and potentially facilitate further attacks through malicious content delivery. Organizations relying on WordPress for recruitment or job posting functionalities are particularly at risk. Given the requirement for administrator interaction, the threat is somewhat mitigated by user awareness but remains significant in environments with less stringent security training or where administrators frequently interact with external links. The absence of known exploits reduces immediate risk but does not eliminate the potential for future exploitation. European organizations with public-facing WordPress sites using this plugin should consider the risk of defacement or indirect compromise through iframe injection.

1. Immediate mitigation involves updating the Recooty – Job Widget plugin to a version that addresses this vulnerability once available. If no patch exists, consider disabling or removing the plugin until a fix is released. 2. Implement strict administrative user training to avoid clicking on suspicious or unsolicited links, especially those that could trigger unintended actions. 3. Employ Web Application Firewalls (WAFs) with rules to detect and block CSRF attack patterns targeting the plugin's endpoints. 4. Use security plugins that enforce nonce validation or add custom nonce checks to plugin functions if feasible. 5. Restrict administrative access to trusted networks or use multi-factor authentication to reduce the risk of compromised admin sessions. 6. Monitor website logs for unusual POST requests or changes to the recooty_key option to detect potential exploitation attempts. 7. Conduct regular security audits of WordPress plugins and remove unused or outdated plugins to minimize attack surface. 8. Consider Content Security Policy (CSP) headers to restrict iframe sources and reduce the impact of malicious iframe injection.