{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15476", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-07T11:37:29.516Z", "datePublished": "2026-02-07T08:26:41.831Z", "dateUpdated": "2026-04-08T17:34:48.563Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:34:48.563Z"}, "affected": [{"vendor": "simonfairbairn", "product": "The Bucketlister", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.1.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The The Bucketlister plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bucketlister_do_admin_ajax() function in all versions up to, and including, 0.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add delete or modify arbitrary bucket list items."}], "title": "The Bucketlister <= 0.1.5 - Missing Authorization to Authenticated (Subscriber+) Bucket List Modification", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fc9e6374-8f9e-4c60-a86b-46cd4122abf9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/the-bucketlister/tags/0.1.5/bucketlister.php#L185"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ivan Cese"}], "timeline": [{"time": "2025-12-14T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-02-06T20:26:32.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-09T18:55:32.316328Z", "id": "CVE-2025-15476", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T18:55:42.624Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-15476", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-09T18:55:32.316328Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T18:55:36.524Z"}}], "cna": {"title": "The Bucketlister <= 0.1.5 - Missing Authorization to Authenticated (Subscriber+) Bucket List Modification", "credits": [{"lang": "en", "type": "finder", "value": "Ivan Cese"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "simonfairbairn", "product": "The Bucketlister", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "0.1.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-14T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-02-06T20:26:32.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fc9e6374-8f9e-4c60-a86b-46cd4122abf9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/the-bucketlister/tags/0.1.5/bucketlister.php#L185"}], "descriptions": [{"lang": "en", "value": "The The Bucketlister plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bucketlister_do_admin_ajax() function in all versions up to, and including, 0.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add delete or modify arbitrary bucket list items."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-02-07T08:26:41.831Z"}}}, "cveMetadata": {"cveId": "CVE-2025-15476", "state": "PUBLISHED", "dateUpdated": "2026-02-09T18:55:42.624Z", "dateReserved": "2026-01-07T11:37:29.516Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-07T08:26:41.831Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The The Bucketlister plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bucketlister_do_admin_ajax() function in all versions up to, and including, 0.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add delete or modify arbitrary bucket list items."}, {"lang": "es", "value": "El plugin The Bucketlister para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a una comprobaci\u00f3n de capacidad faltante en la funci\u00f3n bucketlister_do_admin_ajax() en todas las versiones hasta la 0.1.5, inclusive. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, a\u00f1adan, eliminen o modifiquen elementos arbitrarios de la lista de deseos."}], "id": "CVE-2025-15476", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-07T09:15:59.027", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/the-bucketlister/tags/0.1.5/bucketlister.php#L185"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fc9e6374-8f9e-4c60-a86b-46cd4122abf9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T20:57:03.859739+00:00", "value": {"mitigation_remediation": ["Upgrade the Bucketlister plugin to a version newer than 0.1.5 or the most recent release.", "If the plugin is not needed, remove it entirely from the WordPress installation.", "Verify that the Subscriber role cannot trigger the bucketlister_do_admin_ajax() endpoint by disabling the endpoint or limiting AJAX capabilities."], "summary": {"action": "Update Plugin", "impact": "Unauthorized modification of bucket list items"}, "threat_synthesis": {"affected_systems": "WordPress sites running the simonfairbairn The Bucketlister plugin, versions up to and including 0.1.5, are affected. Any installation that has not been updated past 0.1.5 exposes the bug.", "description_and_impact": "The Bucketlister plugin for WordPress is vulnerable because the bucketlister_do_admin_ajax() function lacks a proper capability check. As a result, any authenticated user with Subscriber-level access or higher can add, delete, or modify arbitrary bucket list items. This can lead to unauthorized data tampering within the website\u2019s content.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 4.3 and an EPSS score of less than 1%, indicating a moderate severity and a very low likelihood of exploitation in the wild. It is not listed in the CISA KEV catalog. Exploitation requires the attacker to be an authenticated Subscriber, and the attack vector is through the plugin\u2019s AJAX endpoint, which is accessible from the user\u2019s browser. No Remote Code Execution or Privilege Escalation beyond the existing subscriber privileges is possible."}}}}, "created": "2026-02-09T10:44:43.849525+00:00", "updated": "2026-04-20T21:00:12.965593+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}