{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11163", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-29T16:31:24.156Z", "datePublished": "2025-09-30T05:28:53.152Z", "dateUpdated": "2026-04-08T17:05:39.836Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:05:39.836Z"}, "affected": [{"vendor": "wpmudev", "product": "SmartCrawl SEO checker, analyzer & optimizer", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.14.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The SmartCrawl SEO checker, analyzer & optimizer plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_submodule() function in all versions up to, and including, 3.14.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's setttings."}], "title": "SmartCrawl SEO checker, analyzer & optimizer <= 3.14.3 - Missing Authorization to Plugin Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8a63a9b3-c056-45f3-952c-9aee997d1d27?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/smartcrawl-seo/tags/3.14.2/includes/core/controllers/class-submodule-controller.php#L123"}, {"url": "https://plugins.trac.wordpress.org/changeset/3366486/smartcrawl-seo/trunk/includes/core/controllers/class-submodule-controller.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-284 Improper Access Control", "cweId": "CWE-284", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Rafshanzani Suhada"}], "timeline": [{"time": "2025-09-29T16:47:13.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-09-29T16:32:13.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-30T15:41:07.958207Z", "id": "CVE-2025-11163", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-30T15:41:18.658Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11163", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-30T15:41:07.958207Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-30T15:41:12.460Z"}}], "cna": {"title": "SmartCrawl SEO checker, analyzer & optimizer <= 3.14.3 - Missing Authorization to Plugin Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Rafshanzani Suhada"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "wpmudev", "product": "SmartCrawl SEO checker, analyzer & optimizer", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.14.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-29T16:47:13.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-09-29T16:32:13.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8a63a9b3-c056-45f3-952c-9aee997d1d27?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/smartcrawl-seo/tags/3.14.2/includes/core/controllers/class-submodule-controller.php#L123"}, {"url": "https://plugins.trac.wordpress.org/changeset/3366486/smartcrawl-seo/trunk/includes/core/controllers/class-submodule-controller.php"}], "descriptions": [{"lang": "en", "value": "The SmartCrawl SEO checker, analyzer & optimizer plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_submodule() function in all versions up to, and including, 3.14.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's setttings."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:05:39.836Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11163", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:05:39.836Z", "dateReserved": "2025-09-29T16:31:24.156Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-30T05:28:53.152Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The SmartCrawl SEO checker, analyzer & optimizer plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_submodule() function in all versions up to, and including, 3.14.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's setttings."}, {"lang": "es", "value": "El plugin SmartCrawl SEO checker, analyzer &amp; optimizer para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a una comprobaci\u00f3n de capacidad faltante en la funci\u00f3n update_submodule() en todas las versiones hasta la 3.14.3, inclusive. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, actualicen la configuraci\u00f3n del plugin."}], "id": "CVE-2025-11163", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-30T11:37:39.197", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/smartcrawl-seo/tags/3.14.2/includes/core/controllers/class-submodule-controller.php#L123"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3366486/smartcrawl-seo/trunk/includes/core/controllers/class-submodule-controller.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8a63a9b3-c056-45f3-952c-9aee997d1d27?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T13:17:24.699604+00:00", "value": {"mitigation_remediation": ["Upgrade SmartCrawl to version 3.15.0 or later", "If an upgrade is not possible immediately, deactivate the plugin until a patch is available", "Verify that any existing settings modifications have not altered SEO critical options and revert if necessary"], "summary": {"action": "Update", "impact": "Unauthorized Plugin Settings Modification"}, "threat_synthesis": {"affected_systems": "This flaw exists in the SmartCrawl SEO checker, analyzer & optimizer WordPress plugin by WPMU DEV for all versions up to 3.14.3 inclusive. Users running any of those releases on their WordPress installations are impacted.", "description_and_impact": "The vulnerability allows an attacker to change SmartCrawl plugin settings without proper authorization. The flaw is in the update_submodule() function where a capability check is omitted, enabling any authenticated user with Subscriber role or higher to modify configuration values. This could lead to configuration changes that affect SEO functionality, potentially redirecting traffic, changing meta data, or disrupting the site\u2019s search engine visibility, thereby compromising integrity and visibility of the website.", "risk_and_exploitability": "The CVSS score of 4.3 reflects a moderate impact with the attacker needing only authenticated access at the Subscriber level. EPSS indicates a very low exploitation probability (<1%), and the vulnerability is not listed in CISA\u2019s KEV catalog. However, because the attacker only requires valid credentials and the flaw is straightforward to exploit via the plugin\u2019s update endpoint, the risk remains non\u2011negligible for sites that permit many users with Subscriber or higher roles. Patch status is currently unknown, so the attack path is likely accessible via the plugin\u2019s settings update interface."}}}}, "created": "2025-10-02T08:46:23.788767+00:00", "updated": "2026-04-22T13:30:17.916667+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpmudev", "wpmudev$PRODUCT$smartcrawl"]}