{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-6720", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-26T14:04:57.263Z", "datePublished": "2025-07-19T05:32:09.543Z", "dateUpdated": "2026-04-08T17:23:57.411Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:23:57.411Z"}, "affected": [{"vendor": "bandido", "product": "MORKVA Vchasno Kasa Integration", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Vchasno Kasa plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the clear_all_log() function in all versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to clear log files."}], "title": "Vchasno Kasa <= 1.0.3 - Unauthenticated Log File Clearing", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cd03483a-f46c-4e17-8b58-df87b0ad7fa3?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/mrkv-vchasno-kasa/trunk/classes/mrkv-setup.php#L245"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3328827%40mrkv-vchasno-kasa&new=3328827%40mrkv-vchasno-kasa&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Phong Nguyen"}], "timeline": [{"time": "2025-07-07T14:15:19.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-07-18T17:11:58.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-21T17:51:10.674972Z", "id": "CVE-2025-6720", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-21T17:56:09.772Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-6720", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-21T17:51:10.674972Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-21T17:56:05.788Z"}}], "cna": {"title": "Vchasno Kasa <= 1.0.3 - Unauthenticated Log File Clearing", "credits": [{"lang": "en", "type": "finder", "value": "Phong Nguyen"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "bandido", "product": "MORKVA Vchasno Kasa Integration", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-07T14:15:19.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-07-18T17:11:58.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cd03483a-f46c-4e17-8b58-df87b0ad7fa3?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/mrkv-vchasno-kasa/trunk/classes/mrkv-setup.php#L245"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3328827%40mrkv-vchasno-kasa&new=3328827%40mrkv-vchasno-kasa&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Vchasno Kasa plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the clear_all_log() function in all versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to clear log files."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:23:57.411Z"}}}, "cveMetadata": {"cveId": "CVE-2025-6720", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:23:57.411Z", "dateReserved": "2025-06-26T14:04:57.263Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-19T05:32:09.543Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Vchasno Kasa plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the clear_all_log() function in all versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to clear log files."}, {"lang": "es", "value": "El complemento Vchasno Kasa para WordPress es vulnerable a la p\u00e9rdida no autorizada de datos debido a la falta de comprobaci\u00f3n de la funci\u00f3n clear_all_log() en todas las versiones hasta la 1.0.3 incluida. Esto permite que atacantes no autenticados borren los archivos de registro."}], "id": "CVE-2025-6720", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-07-19T06:15:24.127", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mrkv-vchasno-kasa/trunk/classes/mrkv-setup.php#L245"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3328827%40mrkv-vchasno-kasa&new=3328827%40mrkv-vchasno-kasa&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cd03483a-f46c-4e17-8b58-df87b0ad7fa3?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T20:13:52.880808+00:00", "value": {"mitigation_remediation": ["Update the Vchasno Kasa plugin to the latest version of 1.0.4 or newer, if available", "If an upgrade is not possible, disable or uninstall the plugin to eliminate the risk", "Restrict web access to the plugin\u2019s administrative functions by applying network or role\u2011based controls, and monitor logs for abnormal deletion activity"], "summary": {"action": "Update Plugin", "impact": "Log Record Deletion"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all installations of the Vchasno Kasa plugin for WordPress via the MORKVA Vchasno Kasa Integration by bandido. Versions up to and including 1.0.3 are impacted; newer releases are presumed to have resolved the issue.", "description_and_impact": "A missing capability check inside the clear_all_log function in the Vchasno Kasa WordPress plugin allows an attacker to remove log entries without any authentication. This flaw does not provide code execution or direct access to sensitive data, but it removes the ability for site operators to audit activity or investigate incidents, effectively erasing forensic evidence. The weakness is identified as a missing privilege validation (CWE-862).", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity. The EPSS score of less than 1% shows that current exploitation probability is very low. The flaw is not listed in the CISA KEV catalog, suggesting no known public exploits. Attackers can trigger the clear_all_log operation remotely through the plugin\u2019s exposed endpoint without authentication, making the exploitation path straightforward provided the plugin is active on the site."}}}}, "created": "2025-07-21T15:17:00.294675+00:00", "updated": "2026-04-20T20:15:06.225091+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}