{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12820", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2025-11-06T18:01:23.626Z", "datePublished": "2025-12-20T06:00:08.473Z", "dateUpdated": "2026-04-02T12:39:53.175Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-02T12:39:53.175Z"}, "title": "Pure WC Variation Swatches <= 1.1.7 - Unauthenticated Settings Update", "problemTypes": [{"descriptions": [{"description": "CWE-862 Missing Authorization", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "Pure WC Variation Swatches", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThanOrEqual": "1.1.7"}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "The Pure WC Variation Swatches WordPress plugin through 1.1.7 does not have an authorization check when updating its settings, which could allow any authenticated users to update them."}], "references": [{"url": "https://wpscan.com/vulnerability/36ccd54a-265a-44d5-b788-bc14446e3098/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "Khaled Alenazi (Nxploited)", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-12-21T14:42:10.213465Z", "id": "CVE-2025-12820", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-21T14:42:14.024Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-12820", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-21T14:42:10.213465Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-21T14:42:00.619Z"}}], "cna": {"title": "Pure WC Variation Swatches <= 1.1.7 - Unauthenticated Settings Update", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Khaled Alenazi (Nxploited)"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "Pure WC Variation Swatches", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1.7"}], "defaultStatus": "unknown"}], "references": [{"url": "https://wpscan.com/vulnerability/36ccd54a-265a-44d5-b788-bc14446e3098/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The Pure WC Variation Swatches WordPress plugin through 1.1.7 does not have an authorization check when updating its settings, which could allow any authenticated users to update them."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-02T12:39:53.175Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12820", "state": "PUBLISHED", "dateUpdated": "2026-04-02T12:39:53.175Z", "dateReserved": "2025-11-06T18:01:23.626Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2025-12-20T06:00:08.473Z", "assignerShortName": "WPScan"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Pure WC Variation Swatches WordPress plugin through 1.1.7 does not have an authorization check when updating its settings, which could allow any authenticated users to update them."}], "id": "CVE-2025-12820", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-12-20T06:15:50.813", "references": [{"source": "contact@wpscan.com", "url": "https://wpscan.com/vulnerability/36ccd54a-265a-44d5-b788-bc14446e3098/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Deferred"}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T22:37:48.417916+00:00", "value": {"mitigation_remediation": ["Upgrade the Pure WC Variation Swatches plugin to version 1.1.8 or newer.", "Reset the plugin\u2019s configuration to default values after updating to ensure no unexpected changes remain.", "If an upgrade is not immediately possible, restrict access to the plugin\u2019s settings page to administrator users only, or disable the plugin temporarily until a patch can be applied."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized modification of plugin settings by any authenticated WordPress user"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Pure WC Variation Swatches plugin for WordPress with version numbers up to and including 1.1.7. Versions 1.1.8 and later are presumed to contain the fix. Site administrators should verify the installed version before proceeding.", "description_and_impact": "The Pure WC Variation Swatches plugin for WordPress through version 1.1.7 does not perform an authentication check when updating its configuration. Because of this, any user who can log into the WordPress site can modify the plugin\u2019s settings. These changes can alter the site\u2019s appearance or behavior, potentially causing undesired effects.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires only user authentication, and can be achieved via the plugin\u2019s settings interface, making the attack vector accessible to any authenticated user, including those with limited roles."}}}}, "created": "2025-12-21T21:12:27.038068+00:00", "updated": "2026-04-28T22:45:25.939084+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"], "weaknesses": ["CWE-284"]}