{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13496", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-20T22:07:48.950Z", "datePublished": "2026-01-07T08:21:55.684Z", "dateUpdated": "2026-04-08T17:31:48.941Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:31:48.941Z"}, "affected": [{"vendor": "moosend", "product": "Moosend Landing Pages", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Moosend Landing Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the moosend_landings_auth_get function in all versions up to, and including, 1.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the 'moosend_landing_api_key' option value."}], "title": "Moosend Landing Pages <= 1.1.6 - Missing Authorization to Authenticated (Subscriber+) Option Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/eeb4b3b1-47ae-4314-a386-832949456f81?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/moosend-landing-pages/trunk/forms/auth-request.php#L7"}, {"url": "https://plugins.trac.wordpress.org/browser/moosend-landing-pages/tags/1.1.6/forms/auth-request.php#L7"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "timeline": [{"time": "2026-01-06T19:38:46.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-07T16:25:56.629622Z", "id": "CVE-2025-13496", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T16:26:03.705Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13496", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-07T16:25:56.629622Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T16:25:59.963Z"}}], "cna": {"title": "Moosend Landing Pages <= 1.1.6 - Missing Authorization to Authenticated (Subscriber+) Option Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "moosend", "product": "Moosend Landing Pages", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.1.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-06T19:38:46.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/eeb4b3b1-47ae-4314-a386-832949456f81?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/moosend-landing-pages/trunk/forms/auth-request.php#L7"}, {"url": "https://plugins.trac.wordpress.org/browser/moosend-landing-pages/tags/1.1.6/forms/auth-request.php#L7"}], "descriptions": [{"lang": "en", "value": "The Moosend Landing Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the moosend_landings_auth_get function in all versions up to, and including, 1.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the 'moosend_landing_api_key' option value."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-01-07T08:21:55.684Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13496", "state": "PUBLISHED", "dateUpdated": "2026-01-07T16:26:03.705Z", "dateReserved": "2025-11-20T22:07:48.950Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-07T08:21:55.684Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Moosend Landing Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the moosend_landings_auth_get function in all versions up to, and including, 1.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the 'moosend_landing_api_key' option value."}, {"lang": "es", "value": "El plugin Moosend Landing Pages para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a una falta de verificaci\u00f3n de capacidad en la funci\u00f3n moosend_landings_auth_get en todas las versiones hasta la 1.1.6, inclusive. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, eliminen el valor de la opci\u00f3n 'moosend_landing_api_key'."}], "id": "CVE-2025-13496", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-07T12:16:48.183", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/moosend-landing-pages/tags/1.1.6/forms/auth-request.php#L7"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/moosend-landing-pages/trunk/forms/auth-request.php#L7"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/eeb4b3b1-47ae-4314-a386-832949456f81?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T00:33:08.562339+00:00", "value": {"mitigation_remediation": ["Upgrade the Moosend Landing Pages plugin to a version newer than 1.1.6 that includes the missing capability check or apply a patch that enforces authorization on the affected function.", "If upgrading is not immediately possible, remove or disable the problematic authentication request file or function to prevent the delete action from being invoked.", "Limit the number of users with Subscriber or higher roles, or reconfigure role capabilities to restrict this privilege until a proper fix is implemented."], "summary": {"action": "Apply Patch", "impact": "Unauthorized deletion of plugin option value"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Moosend Landing Pages plugin for WordPress, all releases up to and including version 1.1.6. Users who have installed any of these versions and have at least Subscriber-level account permissions are at risk.", "description_and_impact": "The Moosend Landing Pages plugin for WordPress lacks a capability check on the function that handles subscriber interactions, allowing any authenticated user with Subscriber-level access or higher to delete the 'moosend_landing_api_key' option. This flaw is a missing authorization weakness (CWE\u2011862) and can lead to loss of service or disruption of the plugin\u2019s integration with Moosend. The impact is limited to modification of a plugin setting, but it can compromise the functionality of marketing forms that rely on that key.", "risk_and_exploitability": "With a CVSS score of 5.3 the vulnerability is of moderate severity. The EPSS score is below 1% and the flaw is not listed in CISA\u2019s KEV catalog, indicating a low likelihood of widespread exploitation. The attack vector involves authenticated access; an attacker who gains or already possesses a Subscriber account can trigger the deletion simply by visiting the endpoint that executes the unauthorized function. No additional system compromise or network-level attack is required."}}}}, "created": "2026-01-08T09:49:28.476051+00:00", "updated": "2026-04-21T00:45:23.085291+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}