{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-5815", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-06T16:20:03.177Z", "datePublished": "2025-06-13T03:41:44.276Z", "dateUpdated": "2026-04-08T16:53:05.800Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:53:05.800Z"}, "affected": [{"vendor": "dmitriamartin", "product": "Traffic Monitor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.2.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Traffic Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tfcm_maybe_set_bot_flags() function in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to disabled bot logging."}], "title": "Traffic Monitor <= 3.2.2 - Missing Authorization to Unauthenticated Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/538669c7-3237-4059-85dc-4f4af1ff5a19?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/traffic-monitor/trunk/traffic-monitor.php#L74"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3309996%40traffic-monitor&new=3309996%40traffic-monitor&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "ch4r0n"}], "timeline": [{"time": "2025-06-09T21:11:58.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-06-12T14:33:50.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-13T19:06:29.763940Z", "id": "CVE-2025-5815", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-13T19:06:43.240Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5815", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-13T19:06:29.763940Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-13T19:06:39.564Z"}}], "cna": {"title": "Traffic Monitor <= 3.2.2 - Missing Authorization to Unauthenticated Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "ch4r0n"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "dmitriamartin", "product": "Traffic Monitor", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.2.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-06-09T21:11:58.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-06-12T14:33:50.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/538669c7-3237-4059-85dc-4f4af1ff5a19?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/traffic-monitor/trunk/traffic-monitor.php#L74"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3309996%40traffic-monitor&new=3309996%40traffic-monitor&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Traffic Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tfcm_maybe_set_bot_flags() function in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to disabled bot logging."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:53:05.800Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5815", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:53:05.800Z", "dateReserved": "2025-06-06T16:20:03.177Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-06-13T03:41:44.276Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Traffic Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tfcm_maybe_set_bot_flags() function in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to disabled bot logging."}, {"lang": "es", "value": "El complemento Traffic Monitor para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a la falta de una comprobaci\u00f3n de capacidad en la funci\u00f3n tfcm_maybe_set_bot_flags() en todas las versiones hasta la 3.2.2 incluida. Esto permite que atacantes no autenticados deshabiliten el registro de bots."}], "id": "CVE-2025-5815", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-06-13T04:15:33.020", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/traffic-monitor/trunk/traffic-monitor.php#L74"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3309996%40traffic-monitor&new=3309996%40traffic-monitor&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/538669c7-3237-4059-85dc-4f4af1ff5a19?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T01:21:49.957258+00:00", "value": {"mitigation_remediation": ["Upgrade the Traffic Monitor plugin to the latest version that includes the missing capability check.", "If an upgrade cannot be performed immediately, restrict public access to the WordPress admin area using IP whitelisting or two\u2011factor authentication to limit the ability of unauthenticated users to interact with the plugin\u2019s endpoints.", "Monitor WordPress logs for any unauthorized changes to Traffic Monitor settings so that potential exploitation can be detected quickly."], "summary": {"action": "Patch Immediately", "impact": "Unauthorized modification of plugin settings disabling bot logging"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed the dmitriamartin Traffic Monitor plugin, any version up to and including 3.2.2.", "description_and_impact": "The Traffic Monitor plugin for WordPress contains a missing capability check in the tfcm_maybe_set_bot_flags() function. This flaw allows an unauthenticated user to alter plugin settings and disable bot logging, thereby compromising the integrity of the site\u2019s monitoring capabilities. The weakness is an Authorization issue (CWE-862).", "risk_and_exploitability": "The CVSS score of 5.3 indicates medium severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector involves sending crafted HTTP requests to the plugin\u2019s interface or accessing its administrative endpoints without authentication, which triggers the missing capability check."}}}}, "created": "2026-04-22T01:30:05.234028+00:00", "updated": "2026-04-22T01:30:05.234039+00:00", "vendors": []}