{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-0856", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-01-29T18:41:52.271Z", "datePublished": "2025-05-06T22:22:31.740Z", "dateUpdated": "2026-04-08T17:02:38.920Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:02:38.920Z"}, "affected": [{"vendor": "Potenza Global Solutions", "product": "PGS Core", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.8.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The PGS Core plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on multiple functions in all versions up to, and including, 5.8.0. This makes it possible for unauthenticated attackers to add, modify, or plugin options."}], "title": "PGS Core <= 5.8.0 - Missing Authorization via Multiple Functions", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7c33b1cb-6eb1-48cd-b706-5ec270f4ae7e?source=cve"}, {"url": "https://docs.potenzaglobalsolutions.com/docs/ciyashop-wp/changelog/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Istv\u00e1n M\u00e1rton"}], "timeline": [{"time": "2025-01-29T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-01-29T00:00:00.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-05-06T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-07T13:22:31.229211Z", "id": "CVE-2025-0856", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-07T13:22:43.635Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-0856", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-07T13:22:31.229211Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-07T13:22:40.520Z"}}], "cna": {"title": "PGS Core <= 5.8.0 - Missing Authorization via Multiple Functions", "credits": [{"lang": "en", "type": "finder", "value": "Istv\u00e1n M\u00e1rton"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}}], "affected": [{"vendor": "Potenza Global Solutions", "product": "PGS Core", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.8.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-01-29T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-01-29T00:00:00.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-05-06T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7c33b1cb-6eb1-48cd-b706-5ec270f4ae7e?source=cve"}, {"url": "https://docs.potenzaglobalsolutions.com/docs/ciyashop-wp/changelog/"}], "descriptions": [{"lang": "en", "value": "The PGS Core plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on multiple functions in all versions up to, and including, 5.8.0. This makes it possible for unauthenticated attackers to add, modify, or plugin options."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:02:38.920Z"}}}, "cveMetadata": {"cveId": "CVE-2025-0856", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:02:38.920Z", "dateReserved": "2025-01-29T18:41:52.271Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-05-06T22:22:31.740Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The PGS Core plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on multiple functions in all versions up to, and including, 5.8.0. This makes it possible for unauthenticated attackers to add, modify, or plugin options."}, {"lang": "es", "value": "El complemento PGS Core para WordPress es vulnerable al acceso no autorizado, la modificaci\u00f3n y la p\u00e9rdida de datos debido a la falta de comprobaci\u00f3n de capacidad en varias funciones en todas las versiones hasta la 5.8.0 incluida. Esto permite que atacantes no autenticados a\u00f1adan, modifiquen o modifiquen opciones del complemento."}], "id": "CVE-2025-0856", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-05-06T23:15:51.260", "references": [{"source": "security@wordfence.com", "url": "https://docs.potenzaglobalsolutions.com/docs/ciyashop-wp/changelog/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7c33b1cb-6eb1-48cd-b706-5ec270f4ae7e?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T17:24:31.233931+00:00", "value": {"mitigation_remediation": ["Upgrade PGS Core to the latest version available (greater than 5.8.0) where the capability checks have been restored.", "If an immediate upgrade is not possible, disable or remove the PGS Core plugin from all vulnerable WordPress installations until a patch can be applied.", "Configure WordPress to enforce strict role\u2011based permissions, ensuring that only users with the wp_manage_options capability can modify plugin settings, to mitigate the risk of accidental or malicious changes."], "summary": {"action": "Apply Patch", "impact": "Unauthorized modification and loss of data via missing capability checks"}, "threat_synthesis": {"affected_systems": "The affected product is PGS Core supplied by Potenza Global Solutions for WordPress sites. Versions 5.8.0 and earlier are vulnerable; any site running the plugin in those releases is at risk.", "description_and_impact": "The PGS Core plugin for WordPress contains a missing capability check on several functions in all releases up to 5.8.0. This flaw allows an attacker who does not even have authentication credentials to add, alter or delete plugin options and settings, directly manipulating the site configuration and potentially compromising data integrity.", "risk_and_exploitability": "Based on the description, it is inferred that attacks would involve sending crafted HTTP requests to the plugin\u2019s endpoints, manipulating configuration options without any authentication, because the capability checks are missing. The CVSS score of 7.3 indicates high severity. The EPSS score is less than 1% and the vulnerability is not listed in the CISA KEV catalog, suggesting that widespread exploitation is unlikely at present. Nonetheless, the ability for unauthenticated users to modify plugin settings poses a significant risk to data integrity and site stability, especially on large WordPress deployments."}}}}, "created": "2026-04-22T17:30:22.635356+00:00", "updated": "2026-04-22T17:30:22.635374+00:00", "vendors": []}