CVE-2025-14468
AMP for WP – Accelerated Mobile Pages <= 1.1.9 - Cross-Site Request Forgery to Comment SubmissionThe AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.9. This is due to inverted nonce verification logic in the amp_theme_ajaxcomments AJAX handler, which rejects requests with VALID nonces and accepts requests with MISSING or INVALID nonces. This makes it possible for unauthenticated attackers to submit comments on behalf of logged-in users via a forged request granted they can trick a user into performing an action such as clicking on a link, and the plugin's template mode is enabled.
We have discovered 31,565 live websites that are affected by CVE-2025-14468.
Affected Software
| Product |  AMP for WP |
| Category | Wordpress Plugins |
| Vulnerable Domains | 31,565 live websites (93% of AMP for WP install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 153 versions ( 99% of all versions) |
Common Weakness Enumeration
CWE-352 Cross-Site Request Forgery (CSRF)Details
- Published - Jan 7, 2026
- Updated - Jan 7, 2026
Credits
- Rafał (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-14468 United States | 14,785 websites |
 Russia | 2,984 websites |
 Germany | 2,024 websites |
 France | 1,756 websites |
 Italy | 788 websites |
 Japan | 761 websites |
 Cyprus | 709 websites |
 GB | 675 websites |
 Brazil | 664 websites |
 Spain | 615 websites |
Website Distribution by TLD
Number of websites using CVE-2025-14468| .com | 16,082 websites |
| .ru | 2,959 websites |
| .net | 1,581 websites |
| .org | 1,360 websites |
| .it | 843 websites |
| .com.br | 693 websites |
| .fr | 574 websites |
| .de | 488 websites |
| .info | 404 websites |
| .co.uk | 361 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-14468
Top websites that are affected by CVE-2025-14468. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| **********.com | United States | *** | |
| ************.com | United States | **,*** | |
| **********.ru | United States | **,*** | |
| *******.fr | United States | **,*** | |
| ***********.com | United States | **,*** | |
| ***************.com | United States | **,*** | |
| *******.de | United States | **,*** | |
| ***********.com |  Canada | **,*** | |
| **********.com | United States | **,*** | |
| ******.com | United States | **,*** |
FAQ
CVE-2025-14468 is Cross-Site Request Forgery (CSRF) in AMP for WP
A total of 31,565 websites have been identified as vulnerable to CVE-2025-14468, based on global website indexing conducted by WebTechSurvey.
The AMP for WP is affected by the CVE-2025-14468 vulnerability.
AMP for WP versions up to and including 1.1.9 are vulnerable to CVE-2025-14468.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0d195034-4617-474d-a4b1-b299c1607f89?source=cve
- https://plugins.trac.wordpress.org/browser/accelerated-mobile-pages/tags/1.1.9/templates/template-mode/template-mode.php#L119
- https://plugins.trac.wordpress.org/browser/accelerated-mobile-pages/tags/1.1.9/templates/template-mode/template-mode.php#L50
- https://plugins.trac.wordpress.org/browser/accelerated-mobile-pages/tags/1.1.9/templates/template-mode/template-mode.php#L698
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3426181%40accelerated-mobile-pages%2Ftrunk&old=3402644%40accelerated-mobile-pages%2Ftrunk&sfp_email=&sfph_mail=#file4