{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11887", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-16T18:05:59.699Z", "datePublished": "2025-10-24T08:23:57.786Z", "dateUpdated": "2026-04-08T16:44:08.094Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:44:08.094Z"}, "affected": [{"vendor": "tiagohillebrandt", "product": "Supervisor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.3.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Supervisor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several AJAX functions in all versions up to, and including, 1.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update various plugin settings."}], "title": "Supervisor <= 1.3.2 - Missing Authorization to Authenticated (Subscriber+) Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d3e2880-bb86-4263-9ed4-25a9769890e4?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3383178%40supervisor&new=3383178%40supervisor&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "timeline": [{"time": "2025-10-23T19:46:03.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-24T12:10:56.866429Z", "id": "CVE-2025-11887", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-24T12:31:17.316Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11887", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-24T12:10:56.866429Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-24T12:10:57.662Z"}}], "cna": {"title": "Supervisor <= 1.3.2 - Missing Authorization to Authenticated (Subscriber+) Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "tiagohillebrandt", "product": "Supervisor", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.3.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-23T19:46:03.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d3e2880-bb86-4263-9ed4-25a9769890e4?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3383178%40supervisor&new=3383178%40supervisor&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Supervisor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several AJAX functions in all versions up to, and including, 1.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update various plugin settings."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:44:08.094Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11887", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:44:08.094Z", "dateReserved": "2025-10-16T18:05:59.699Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-24T08:23:57.786Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Supervisor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several AJAX functions in all versions up to, and including, 1.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update various plugin settings."}], "id": "CVE-2025-11887", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-24T09:15:43.080", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3383178%40supervisor&new=3383178%40supervisor&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d3e2880-bb86-4263-9ed4-25a9769890e4?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-27T23:35:05.432238+00:00", "value": {"mitigation_remediation": ["Apply the latest Supervisor plugin version (>=1.3.3) to remove the vulnerability.", "If an upgrade cannot be performed immediately, disable the AJAX endpoints that handle settings changes or restrict them via a custom code snippet.", "Revoke Subscriber-level access to the plugin\u2019s settings by adjusting role capabilities, ensuring only administrators can modify these settings."], "summary": {"action": "Patch Plugin", "impact": "Unauthorized settings modification via missing capability check"}, "threat_synthesis": {"affected_systems": "Vendor: tiagohillebrandt; Product: Supervisor plugin for WordPress; Versions affected: all releases up to and including 1.3.2. Users of any WordPress site that have installed these versions are vulnerable.", "description_and_impact": "The Supervisor plugin for WordPress contains missing capability checks on several AJAX functions in all versions up to and including 1.3.2. This flaw permits an authenticated user with Subscriber-level access or higher to alter plugin configuration settings. While it does not provide remote code execution or privilege escalation to super admin, the ability to modify the settings can influence the plugin\u2019s behavior, potentially enabling malicious features or disabling security controls, which may degrade the site\u2019s integrity or availability.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate severity, and the EPSS score of less than 1% suggests a very low probability of exploitation. The vulnerability is listed as not part of the CISA KEV catalog. The attack requires an authenticated user with at least Subscriber role; it is most likely to be abused in a scenario where an attacker has accessed a legitimate account. After authenticating, the attacker can send crafted AJAX requests to modify settings, achieving unwarranted changes that could affect site functionality."}}}}, "created": "2025-10-27T22:13:08.959692+00:00", "updated": "2026-04-27T23:45:15.884533+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}