{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-5190", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-26T05:12:25.477Z", "datePublished": "2025-05-30T11:15:10.217Z", "dateUpdated": "2026-04-08T17:06:32.803Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:06:32.803Z"}, "affected": [{"vendor": "sorich87", "product": "Browse As", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Browse As plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 0.2. This is due to incorrect authentication checking in the 'IS_BA_Browse_As::notice' function with the 'is_ba_original_user_COOKIEHASH' cookie value. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to log in as any existing user on the site, such as an administrator, if they have access to the user id."}], "title": "Browse As <= 0.2 - Authenticated (Subscriber+) Authentication Bypass via Cookie", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8f5722b0-0d54-4c44-b168-a886da1077cb?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/browse-as/tags/0.2/browse-as.php#L115"}, {"url": "https://plugins.trac.wordpress.org/browser/browse-as/tags/0.2/browse-as.php#L92"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel", "cweId": "CWE-288", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Istv\u00e1n M\u00e1rton"}], "timeline": [{"time": "2025-05-26T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-05-26T00:00:00.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-05-29T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-30T12:15:47.242645Z", "id": "CVE-2025-5190", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-30T12:16:17.522Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5190", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-05-30T12:15:47.242645Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-30T12:15:58.716Z"}}], "cna": {"title": "Browse As <= 0.2 - Authenticated (Subscriber+) Authentication Bypass via Cookie", "credits": [{"lang": "en", "type": "finder", "value": "Istv\u00e1n M\u00e1rton"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "sorich87", "product": "Browse As", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-05-26T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-05-26T00:00:00.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-05-29T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8f5722b0-0d54-4c44-b168-a886da1077cb?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/browse-as/tags/0.2/browse-as.php#L115"}, {"url": "https://plugins.trac.wordpress.org/browser/browse-as/tags/0.2/browse-as.php#L92"}], "descriptions": [{"lang": "en", "value": "The Browse As plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 0.2. This is due to incorrect authentication checking in the 'IS_BA_Browse_As::notice' function with the 'is_ba_original_user_COOKIEHASH' cookie value. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to log in as any existing user on the site, such as an administrator, if they have access to the user id."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-288", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:06:32.803Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5190", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:06:32.803Z", "dateReserved": "2025-05-26T05:12:25.477Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-05-30T11:15:10.217Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Browse As plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 0.2. This is due to incorrect authentication checking in the 'IS_BA_Browse_As::notice' function with the 'is_ba_original_user_COOKIEHASH' cookie value. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to log in as any existing user on the site, such as an administrator, if they have access to the user id."}, {"lang": "es", "value": "El complemento Browse As para WordPress es vulnerable a la omisi\u00f3n de autenticaci\u00f3n en versiones hasta la 0.2 incluida. Esto se debe a una comprobaci\u00f3n de autenticaci\u00f3n incorrecta en la funci\u00f3n 'IS_BA_Browse_As::notice' con el valor de cookie 'is_ba_original_user_COOKIEHASH'. Esto permite que atacantes autenticados, con permisos de suscriptor o superiores, inicien sesi\u00f3n como cualquier usuario del sitio, como un administrador, si tienen acceso al ID de usuario."}], "id": "CVE-2025-5190", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-05-30T12:15:21.103", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/browse-as/tags/0.2/browse-as.php#L115"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/browse-as/tags/0.2/browse-as.php#L92"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8f5722b0-0d54-4c44-b168-a886da1077cb?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-288"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T20:34:03.754212+00:00", "value": {"mitigation_remediation": ["Update the Browse As plugin to the latest available release (currently 0.3 or later) or remove the plugin if it is not needed.", "Restrict subscriber-level permissions to the minimum required for legitimate users, and revoke any unnecessary role privileges that might allow the use of the bypass.", "Audit the site for any evidence of unauthorized account usage and consider resetting passwords for all accounts, especially administrators.", "As a temporary measure, delete or block the is_ba_original_user_COOKIEHASH cookie from the browser to prevent the bypass if the plugin must remain installed."], "summary": {"action": "Immediate Patch", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "This vulnerability affects the Browse As plugin (author sorich87) installed on WordPress sites. All installations running version 0.2 or earlier are impacted; no later releases have been identified as vulnerable. Site administrators should verify the current plugin version, as the issue is tied to the plugin code rather than WordPress core.", "description_and_impact": "The Browse As plugin for WordPress, versions up to and including 0.2, contains an authentication bypass flaw caused by improper validation of the is_ba_original_user_COOKIEHASH cookie within the IS_BA_Browse_As::notice function. This flaw permits any user who can authenticate as a subscriber or higher to assume the identity of any other user on the same site if they know the target\u2019s user ID. The result is unauthorized access to content and functions, potentially including administrative privileges, violating confidentiality and integrity.", "risk_and_exploitability": "The CVSS v3 score of 8.8 labels it as high severity, reflecting the heavy impact of impersonation. However, the EPSS score of less than 1% indicates that real\u2011world exploitation is currently unlikely, and the flaw is not listed in the CISA KEV catalog. The attack requires that the adversary already possess at least subscriber-level credentials on the target site; once authentic, they can manipulate the cookie to target any user ID, thereby bypassing all role\u2011based access controls."}}}}, "created": "2026-04-21T20:45:25.973698+00:00", "updated": "2026-04-21T20:45:25.973710+00:00", "vendors": []}