Vulnerabilities > CVE-2025-0954

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

LOW

Integrity impact

LOW

Availability impact

NONE

network

low complexity

CWE-862

NVD

Published: 2025-03-05

Updated: 2025-03-05

Summary

The WP Online Contract plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the json_import() and json_export() functions in all versions up to, and including, 5.1.4. This makes it possible for unauthenticated attackers to import and export the plugin's settings.

Common Weakness Enumeration (CWE)

CWE-862 - Missing Authorization

References

https://codecanyon.net/item/wp-online-contract/7698011
https://www.wordfence.com/threat-intel/vulnerabilities/id/70f464ca-ff6c-4c2e-8b56-bf5e4bc6bd1f?source=cve

Vulnerabilities > CVE-2025-0954 {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Vulnerabilities","item":"https://cyber.vumetric.com/vulns/"},{"@type":"ListItem","position":2,"name":"CVE-2025-0954"}]}

Summary

Common Weakness Enumeration (CWE)

References

Vulnerabilities > CVE-2025-0954