{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-1508", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-02-20T19:01:35.576Z", "datePublished": "2025-03-12T03:21:27.735Z", "dateUpdated": "2026-04-08T17:00:24.180Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:00:24.180Z"}, "affected": [{"vendor": "themeum", "product": "WP Crowdfunding", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.1.14", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Crowdfunding plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the download_data action in all versions up to, and including, 2.1.14. This makes it possible for authenticated attackers, with subscriber-level access and above, to download all of a site's post content when WooCommerce is installed."}], "title": "WP Crowdfunding <= 2.1.14 - Missing Authorization to Authenticated (Subscriber+) Post Content Download", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/70a93afa-9801-41d2-8923-ca4ae6ae974f?source=cve"}, {"url": "https://wordpress.org/plugins/wp-crowdfunding/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3284694%40wp-crowdfunding&new=3284694%40wp-crowdfunding&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Krzysztof Zaj\u0105c"}], "timeline": [{"time": "2025-03-11T14:22:55.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-12T13:28:10.079757Z", "id": "CVE-2025-1508", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-12T13:31:16.173Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1508", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-12T13:28:10.079757Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-12T13:28:13.480Z"}}], "cna": {"title": "WP Crowdfunding <= 2.1.14 - Missing Authorization to Authenticated (Subscriber+) Post Content Download", "credits": [{"lang": "en", "type": "finder", "value": "Krzysztof Zaj\u0105c"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "themeum", "product": "WP Crowdfunding", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.1.14"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-03-11T14:22:55.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/70a93afa-9801-41d2-8923-ca4ae6ae974f?source=cve"}, {"url": "https://wordpress.org/plugins/wp-crowdfunding/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3284694%40wp-crowdfunding&new=3284694%40wp-crowdfunding&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The WP Crowdfunding plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the download_data action in all versions up to, and including, 2.1.14. This makes it possible for authenticated attackers, with subscriber-level access and above, to download all of a site's post content when WooCommerce is installed."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:00:24.180Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1508", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:00:24.180Z", "dateReserved": "2025-02-20T19:01:35.576Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-03-12T03:21:27.735Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themeum:wp_crowdfunding:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "C04CAA7D-BAD6-4A60-8AFD-601C6B40D092", "versionEndIncluding": "2.1.13", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Crowdfunding plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the download_data action in all versions up to, and including, 2.1.14. This makes it possible for authenticated attackers, with subscriber-level access and above, to download all of a site's post content when WooCommerce is installed."}, {"lang": "es", "value": "El complemento WP Crowdfunding para WordPress es vulnerable al acceso no autorizado a datos debido a la falta de una comprobaci\u00f3n de capacidad en la acci\u00f3n download_data en todas las versiones hasta la 2.1.13 incluida. Esto permite que atacantes autenticados, con acceso de suscriptor o superior, descarguen todo el contenido de las entradas de un sitio cuando WooCommerce est\u00e1 instalado."}], "id": "CVE-2025-1508", "lastModified": "2026-04-08T18:24:25.417", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-03-12T04:15:16.520", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3284694%40wp-crowdfunding&new=3284694%40wp-crowdfunding&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://wordpress.org/plugins/wp-crowdfunding/"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/70a93afa-9801-41d2-8923-ca4ae6ae974f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T01:57:20.572956+00:00", "value": {"mitigation_remediation": ["Update WP Crowdfunding to the latest version that addresses the missing capability check.", "If an immediate update is not possible, limit the download_data action to administrator roles or disable it until a patch is applied.", "Verify that WooCommerce remains correctly configured and remove any unused download-related endpoints until the plugin is patched."], "summary": {"action": "Update Plugin", "impact": "Unauthorized Data Access"}, "threat_synthesis": {"affected_systems": "The affected vendor is Themeum, providing the WP Crowdfunding plugin. Versions up to and including 2.1.14 are vulnerable. The issue only manifests on WordPress sites that also have WooCommerce installed. All other WordPress installations without WooCommerce are not exposed to this specific download capability.", "description_and_impact": "The WP Crowdfunding plugin for WordPress has a missing capability check on the download_data action in all versions up to 2.1.14. This omission allows authenticated attackers with subscriber-level access or higher to download all of a site's post content when WooCommerce is installed. The result is an unauthorized leakage of confidential post data and a breach of data confidentiality.", "risk_and_exploitability": "The CVSS score is 5.3, indicating a moderate severity. The EPSS score is below 1\u202f%, suggesting a low likelihood of exploitation in the wild, and the vulnerability is not currently listed in CISA\u2019s KEV catalog. Attackers must be authenticated; a subscriber or higher role is sufficient. Once authenticated, the attacker can simply request the download_data endpoint to pull every post. Because the flaw resides in a capability check, removal of the capability or updating the plugin mitigates the risk."}}}}, "created": "2026-04-22T02:00:05.041286+00:00", "updated": "2026-04-22T02:00:05.041296+00:00", "vendors": []}