{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11255", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-03T12:01:49.445Z", "datePublished": "2025-10-25T06:49:22.427Z", "dateUpdated": "2026-04-08T16:58:03.666Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:58:03.666Z"}, "affected": [{"vendor": "cyberlord92", "product": "Password Policy Manager | Password Manager", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.0.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Password Policy Manager | Password Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'moppm_ajax' AJAX endpoint in all versions up to, and including, 2.0.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to log out the site's connection to miniorange."}], "title": "Password Policy Manager | Password Manager <= 2.0.5 - Missing Authorization to Authenticated (Subscriber+) Configuration Log Out", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/66ac51f9-3571-4e07-a110-afec43abab37?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3381127%40password-policy-manager&new=3381127%40password-policy-manager&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "timeline": [{"time": "2025-10-24T18:09:09.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-27T15:52:15.899267Z", "id": "CVE-2025-11255", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-27T15:52:24.137Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11255", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-27T15:52:15.899267Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-27T15:52:20.794Z"}}], "cna": {"title": "Password Policy Manager | Password Manager <= 2.0.5 - Missing Authorization to Authenticated (Subscriber+) Configuration Log Out", "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "cyberlord92", "product": "Password Policy Manager | Password Manager", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.0.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-24T18:09:09.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/66ac51f9-3571-4e07-a110-afec43abab37?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3381127%40password-policy-manager&new=3381127%40password-policy-manager&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Password Policy Manager | Password Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'moppm_ajax' AJAX endpoint in all versions up to, and including, 2.0.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to log out the site's connection to miniorange."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:58:03.666Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11255", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:58:03.666Z", "dateReserved": "2025-10-03T12:01:49.445Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-25T06:49:22.427Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Password Policy Manager | Password Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'moppm_ajax' AJAX endpoint in all versions up to, and including, 2.0.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to log out the site's connection to miniorange."}], "id": "CVE-2025-11255", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-25T07:15:40.000", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3381127%40password-policy-manager&new=3381127%40password-policy-manager&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/66ac51f9-3571-4e07-a110-afec43abab37?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T14:01:11.727054+00:00", "value": {"mitigation_remediation": ["Upgrade the Password Policy Manager | Password Manager plugin to a version newer than 2.0.5 once a patch is released.", "If an upgrade is not immediately possible, disable the plugin to remove the vulnerable AJAX endpoint and any MiniOrange integration from the site.", "Reduce the privileges of user roles so that the Subscriber role no longer has permission to authenticate to external services; consider using a custom role with more restrictive capabilities for non\u2011administrators."], "summary": {"action": "Patch", "impact": "Unauthorized Logout via Missing Authorization Check"}, "threat_synthesis": {"affected_systems": "All installations of the Password Policy Manager | Password Manager plugin for WordPress in versions 2.0.5 or earlier are affected. The plugin is developed by cyberlord92 and is available through the WordPress repository. Administrators should verify the installed version and upgrade or remove the plugin if it falls within the vulnerable range.", "description_and_impact": "The Password Policy Manager | Password Manager plugin for WordPress contains a missing capability check on the 'moppm_ajax' AJAX endpoint in versions up to and including 2.0.5. This flaw is categorized as a CWE\u2011862 missing authorization problem. It permits any authenticated user with a Subscriber role or higher to trigger the endpoint, causing the site to log out of its connection to the MiniOrange authentication service. The result is an unauthorized modification of plugin data that can disrupt the authentication flow and potentially prevent users from logging in via MiniOrange after the logout occurs.", "risk_and_exploitability": "The vulnerability has a CVSS score of 4.3, indicating moderate severity, and an EPSS score of less than 1\u202f%, showing a very low likelihood of exploitation. The flaw is not listed in the CISA KEV catalog. Attackers must be authenticated with at least Subscriber permissions, so the attack vector is inferred to be a local, authenticated request to the AJAX endpoint. Because of the low exploitation probability and moderate impact, the overall risk is moderate but still noteworthy for maintaining authentication integrity."}}}}, "created": "2025-10-27T22:10:13.890355+00:00", "updated": "2026-04-22T14:15:20.377650+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}