{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-1325", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-02-14T23:37:00.296Z", "datePublished": "2025-03-08T09:22:54.259Z", "dateUpdated": "2026-04-08T17:15:09.378Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:15:09.378Z"}, "affected": [{"vendor": "wppost", "product": "WP-Recall \u2013 Registration, Profile, Commerce & More", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "16.26.10", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP-Recall \u2013 Registration, Profile, Commerce & More plugin for WordPress is vulnerable to arbitrary shortcode execution due to a missing capability check on the 'rcl_preview_post' AJAX endpoint in all versions up to, and including, 16.26.10. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes."}], "title": "WP-Recall \u2013 Registration, Profile, Commerce & More <= 16.26.10 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Exeuction", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ad3b9040-05ed-452d-9b3f-26d1a93c62ba?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3250094/wp-recall/trunk/add-on/publicpost/functions-ajax.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Krzysztof Zaj\u0105c"}], "timeline": [{"time": "2025-03-07T20:52:18.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-10T16:56:58.015847Z", "id": "CVE-2025-1325", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-11T16:07:55.620Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1325", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-10T16:56:58.015847Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-10T16:56:59.224Z"}}], "cna": {"title": "WP-Recall \u2013 Registration, Profile, Commerce & More <= 16.26.10 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Exeuction", "credits": [{"lang": "en", "type": "finder", "value": "Krzysztof Zaj\u0105c"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"}}], "affected": [{"vendor": "wppost", "product": "WP-Recall \u2013 Registration, Profile, Commerce & More", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "16.26.10"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-03-07T20:52:18.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ad3b9040-05ed-452d-9b3f-26d1a93c62ba?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3250094/wp-recall/trunk/add-on/publicpost/functions-ajax.php"}], "descriptions": [{"lang": "en", "value": "The WP-Recall \u2013 Registration, Profile, Commerce & More plugin for WordPress is vulnerable to arbitrary shortcode execution due to a missing capability check on the 'rcl_preview_post' AJAX endpoint in all versions up to, and including, 16.26.10. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-03-08T09:22:54.259Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1325", "state": "PUBLISHED", "dateUpdated": "2025-03-11T16:07:55.620Z", "dateReserved": "2025-02-14T23:37:00.296Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-03-08T09:22:54.259Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:plechevandrey:wp-recall:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "E39CB4E3-D118-4652-8317-06A6DD1FD41D", "versionEndExcluding": "16.26.12", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The WP-Recall \u2013 Registration, Profile, Commerce & More plugin for WordPress is vulnerable to arbitrary shortcode execution due to a missing capability check on the 'rcl_preview_post' AJAX endpoint in all versions up to, and including, 16.26.10. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes."}, {"lang": "es", "value": "El complemento WP-Recall \u2013 Registration, Profile, Commerce &amp; More para WordPress es vulnerable a la ejecuci\u00f3n de c\u00f3digos cortos arbitrarios debido a una verificaci\u00f3n de capacidad faltante en el endpoint AJAX 'rcl_preview_post' en todas las versiones hasta la 16.26.10 incluida. Esto hace posible que atacantes autenticados, con acceso de nivel de suscriptor y superior, ejecuten c\u00f3digos cortos arbitrarios."}], "id": "CVE-2025-1325", "lastModified": "2025-03-24T18:12:02.770", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-03-08T10:15:11.427", "references": [{"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3250094/wp-recall/trunk/add-on/publicpost/functions-ajax.php"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ad3b9040-05ed-452d-9b3f-26d1a93c62ba?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T23:38:30.435270+00:00", "value": {"mitigation_remediation": ["Upgrade WP-Recall to version 16.27 or later.", "If upgrading is not immediately possible, restrict the rcl_preview_post AJAX endpoint so that only users with appropriate capabilities can access it, or block the endpoint with a firewall rule.", "Monitor the site for unusual shortcode execution patterns and log entries referencing the rcl_preview_post endpoint to detect potential abuse."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary Shortcode Execution"}, "threat_synthesis": {"affected_systems": "All installations of the WP-Recall plugin for WordPress up to and including version 16.26.10 are affected. The problem exists in the master plugin bundle and all add\u2011on modules that expose the rcl_preview_post endpoint. Any WordPress site that has not yet upgraded past 16.26.10 is therefore at risk.", "description_and_impact": "The WP-Recall \u2013 Registration, Profile, Commerce & More plugin is vulnerable because the rcl_preview_post AJAX endpoint performs no capability check before executing a shortcode. This omission allows an authenticated attacker who has at least Subscriber level access to supply and run any arbitrary shortcode on the site, potentially leading to malicious code execution, data exfiltration, or defacement. The weakness is a classic Missing Authorization flaw (CWE-862).", "risk_and_exploitability": "The vulnerability carries a CVSS score of 6.3, indicating moderate severity. The EPSS score of less than 1% shows that exploitation is unlikely to be widespread, and it is not listed in the CISA KEV catalog. Attackers must first be authenticated (Subscriber or higher) and then target the rcl_preview_post AJAX route, typically by submitting a crafted request from the browser or via a script. Given these constraints, the risk is significant for sites that grant many users Subscriber privileges but is unlikely to be exploited against highly secure or low\u2011privilege deployments."}}}}, "created": "2026-04-20T23:45:21.603351+00:00", "updated": "2026-04-20T23:45:21.603361+00:00", "vendors": []}