{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-0954", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-01-31T20:00:10.045Z", "datePublished": "2025-03-05T09:21:47.168Z", "dateUpdated": "2026-04-08T17:00:28.092Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:00:28.092Z"}, "affected": [{"vendor": "futuredesigngrp", "product": "WP Online Contract", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.1.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Online Contract plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the json_import() and json_export() functions in all versions up to, and including, 5.1.4. This makes it possible for unauthenticated attackers to import and export the plugin's settings."}], "title": "WP Online Contract <= 5.1.4 - Missing Authorization to Unauthenticated Settings Import", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/70f464ca-ff6c-4c2e-8b56-bf5e4bc6bd1f?source=cve"}, {"url": "https://codecanyon.net/item/wp-online-contract/7698011"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Lucio S\u00e1"}], "timeline": [{"time": "2025-03-04T21:12:27.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-05T14:22:30.762733Z", "id": "CVE-2025-0954", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-05T14:22:38.971Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-0954", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-05T14:22:30.762733Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-05T14:22:34.758Z"}}], "cna": {"title": "WP Online Contract <= 5.1.4 - Missing Authorization to Unauthenticated Settings Import", "credits": [{"lang": "en", "type": "finder", "value": "Lucio S\u00e1"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}}], "affected": [{"vendor": "futuredesigngrp", "product": "WP Online Contract", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "5.1.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-03-04T21:12:27.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/70f464ca-ff6c-4c2e-8b56-bf5e4bc6bd1f?source=cve"}, {"url": "https://codecanyon.net/item/wp-online-contract/7698011"}], "descriptions": [{"lang": "en", "value": "The WP Online Contract plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the json_import() and json_export() functions in all versions up to, and including, 5.1.4. This makes it possible for unauthenticated attackers to import and export the plugin's settings."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-03-05T09:21:47.168Z"}}}, "cveMetadata": {"cveId": "CVE-2025-0954", "state": "PUBLISHED", "dateUpdated": "2025-03-05T14:22:38.971Z", "dateReserved": "2025-01-31T20:00:10.045Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-03-05T09:21:47.168Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Online Contract plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the json_import() and json_export() functions in all versions up to, and including, 5.1.4. This makes it possible for unauthenticated attackers to import and export the plugin's settings."}, {"lang": "es", "value": "El complemento WP Online Contract para WordPress es vulnerable al acceso no autorizado debido a una falta de verificaci\u00f3n de capacidad en las funciones json_import() y json_export() en todas las versiones hasta la 5.1.4 incluida. Esto permite que atacantes no autenticados importen y exporten la configuraci\u00f3n del complemento."}], "id": "CVE-2025-0954", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-03-05T10:15:19.130", "references": [{"source": "security@wordfence.com", "url": "https://codecanyon.net/item/wp-online-contract/7698011"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/70f464ca-ff6c-4c2e-8b56-bf5e4bc6bd1f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T03:31:39.293967+00:00", "value": {"mitigation_remediation": ["Update WP Online Contract to version 5.1.5 or newer, which removes the missing capability check.", "If an immediate update is not possible, limit access to the json_import and json_export routes by configuring WordPress user roles or by using a security plugin to block non\u2011administrator traffic to those URLs.", "As a temporary workaround, disable or delete the import/export functionality by editing the plugin\u2019s PHP files or by applying an .htaccess rule to deny access to the PHP script that implements these endpoints."], "summary": {"action": "Patch now", "impact": "Unauthorized configuration changes"}, "threat_synthesis": {"affected_systems": "All installations of the WP Online Contract plugin from its earliest release through version 5.1.4 are impacted. The plugin is developed by the futuredesigngrp team. No known backported fixes exist for these versions, so any site running a vulnerable instance remains at risk until the plugin is updated.", "description_and_impact": "The WP Online Contract plugin for WordPress contains a missing capability check on the json_import() and json_export() functions in all versions up to and including 5.1.4. Because of this flaw, unauthenticated users can send requests to the plugin\u2019s import and export endpoints and recover or modify the plugin's configuration settings. This allows an attacker to change how the contract works on the site, or to export the configuration for analysis, thereby compromising the integrity of the WordPress installation.", "risk_and_exploitability": "The CVSS score of 6.5 classifies the flaw as medium severity. The EPSS score of less than 1% indicates a very low likelihood of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the flaw by sending unauthenticated HTTP requests to the import or export routes, making it a remote, unauthenticated threat that could alter site configuration."}}}}, "created": "2025-07-12T15:26:26.941052+00:00", "updated": "2026-04-28T03:45:20.277769+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}