{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12676", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-03T22:02:11.284Z", "datePublished": "2025-11-05T07:27:56.492Z", "dateUpdated": "2026-04-08T17:12:43.962Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:12:43.962Z"}, "affected": [{"vendor": "mykiot", "product": "KiotViet Sync", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.8.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The KiotViet Sync plugin for WordPress is vulnerable to authorizarion bypass in all versions up to, and including, 1.8.5. This is due to the plugin using a hardcoded password for authentication in the QueryControllerAdmin::authenticated function. This makes it possible for unauthenticated attackers to create and sync products."}], "title": "KiotViet Sync <= 1.8.5 - Use of Hard-coded Password to Authorization Bypass", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a2d7165b-1290-4032-8fbc-75ec1ab34a08?source=cve"}, {"url": "https://wordpress.org/plugins/kiotvietsync/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-259 Use of Hard-coded Password", "cweId": "CWE-259", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Kenneth Dunn"}], "timeline": [{"time": "2025-11-04T18:55:04.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-05T14:20:31.675546Z", "id": "CVE-2025-12676", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-05T14:20:41.378Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12676", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-05T14:20:31.675546Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-05T14:20:38.395Z"}}], "cna": {"title": "KiotViet Sync <= 1.8.5 - Use of Hard-coded Password to Authorization Bypass", "credits": [{"lang": "en", "type": "finder", "value": "Kenneth Dunn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "mykiot", "product": "KiotViet Sync", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.8.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-04T18:55:04.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a2d7165b-1290-4032-8fbc-75ec1ab34a08?source=cve"}, {"url": "https://wordpress.org/plugins/kiotvietsync/"}], "descriptions": [{"lang": "en", "value": "The KiotViet Sync plugin for WordPress is vulnerable to authorizarion bypass in all versions up to, and including, 1.8.5. This is due to the plugin using a hardcoded password for authentication in the QueryControllerAdmin::authenticated function. This makes it possible for unauthenticated attackers to create and sync products."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-259", "description": "CWE-259 Use of Hard-coded Password"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:12:43.962Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12676", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:12:43.962Z", "dateReserved": "2025-11-03T22:02:11.284Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-05T07:27:56.492Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The KiotViet Sync plugin for WordPress is vulnerable to authorizarion bypass in all versions up to, and including, 1.8.5. This is due to the plugin using a hardcoded password for authentication in the QueryControllerAdmin::authenticated function. This makes it possible for unauthenticated attackers to create and sync products."}], "id": "CVE-2025-12676", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-05T08:15:33.680", "references": [{"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/kiotvietsync/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a2d7165b-1290-4032-8fbc-75ec1ab34a08?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-259"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T01:50:36.804264+00:00", "value": {"mitigation_remediation": ["Update to the latest version of KiotViet Sync (\u22651.8.6) which removes the hard\u2011coded password.", "If an update is not immediately available, disable or uninstall the plugin to prevent unauthenticated access.", "Replace any hard\u2011coded credentials in the plugin\u2019s authentication hooks with a unique, non\u2011default password to eliminate the vulnerability.", "Regularly inspect the WordPress site for unauthorized product creation or sync activity and change the site admin password periodically."], "summary": {"action": "Apply patch", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the mykiot KiotViet Sync plugin in all releases up to and including version 1.8.5.", "description_and_impact": "The KiotViet Sync plugin for WordPress stores a hard\u2011coded password for authentication, allowing an attacker without valid credentials to bypass the plugin\u2019s authorization checks. This vulnerability permits unauthenticated users to create new products and trigger synchronization events, compromising the integrity of the site\u2019s product data and potentially enabling further malicious activity. The weakness corresponds to CWE\u2011259: Hard\u2011coded Password.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the near term. The plugin is not listed in CISA KEV. Based on the description, it is inferred that an attacker can exploit this by sending crafted HTTP requests to the plugin\u2019s QueryControllerAdmin endpoint from any network location, enabling authentication bypass in a remote manner."}}}}, "created": "2025-11-06T10:07:16.906612+00:00", "updated": "2026-04-21T02:00:12.290078+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}