{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-6721", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-26T14:07:49.904Z", "datePublished": "2025-07-19T05:32:08.936Z", "dateUpdated": "2026-04-08T16:54:26.633Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:54:26.633Z"}, "affected": [{"vendor": "bandido", "product": "MORKVA Vchasno Kasa Integration", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Vchasno Kasa plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the mrkv_vchasno_kasa_wc_do_metabox_action() function in all versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to generate invoices for arbitrary orders."}], "title": "Vchasno Kasa <= 1.0.3 - Missing Authorization to Unauthenticated Invoice Generation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/57ad3525-3257-4727-ba07-468bf13a94e2?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/mrkv-vchasno-kasa/trunk/classes/mrkv-setup.php#L395"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3328827%40mrkv-vchasno-kasa&new=3328827%40mrkv-vchasno-kasa&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Phong Nguyen"}], "timeline": [{"time": "2025-07-07T14:15:19.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-07-18T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-21T17:49:19.780725Z", "id": "CVE-2025-6721", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-21T17:50:45.903Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-6721", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-21T17:49:19.780725Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-21T17:49:33.592Z"}}], "cna": {"title": "Vchasno Kasa <= 1.0.3 - Missing Authorization to Unauthenticated Invoice Generation", "credits": [{"lang": "en", "type": "finder", "value": "Phong Nguyen"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "bandido", "product": "MORKVA Vchasno Kasa Integration", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-07T14:15:19.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-07-18T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/57ad3525-3257-4727-ba07-468bf13a94e2?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/mrkv-vchasno-kasa/trunk/classes/mrkv-setup.php#L395"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3328827%40mrkv-vchasno-kasa&new=3328827%40mrkv-vchasno-kasa&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Vchasno Kasa plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the mrkv_vchasno_kasa_wc_do_metabox_action() function in all versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to generate invoices for arbitrary orders."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:54:26.633Z"}}}, "cveMetadata": {"cveId": "CVE-2025-6721", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:54:26.633Z", "dateReserved": "2025-06-26T14:07:49.904Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-19T05:32:08.936Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Vchasno Kasa plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the mrkv_vchasno_kasa_wc_do_metabox_action() function in all versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to generate invoices for arbitrary orders."}, {"lang": "es", "value": "El complemento Vchasno Kasa para WordPress es vulnerable al acceso no autorizado a datos debido a la falta de una comprobaci\u00f3n de capacidad en la funci\u00f3n mrkv_vchasno_kasa_wc_do_metabox_action() en todas las versiones hasta la 1.0.3 incluida. Esto permite que atacantes no autenticados generen facturas para pedidos arbitrarios."}], "id": "CVE-2025-6721", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-07-19T06:15:24.307", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mrkv-vchasno-kasa/trunk/classes/mrkv-setup.php#L395"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3328827%40mrkv-vchasno-kasa&new=3328827%40mrkv-vchasno-kasa&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/57ad3525-3257-4727-ba07-468bf13a94e2?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T03:55:00.112532+00:00", "value": {"mitigation_remediation": ["Apply the latest version of the Vchasno Kasa plugin that includes the missing capability check", "If an update is not immediately possible, temporarily disable the plugin or remove the mrkv_vchasno_kasa_wc_do_metabox_action() endpoint from the site until a patch is applied", "If the plugin must remain active, implement an additional capability check in a custom plugin or via a WP hook to ensure that only users with an appropriate role can trigger invoice generation."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Invoice Generation"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in the bandido Vchasno Kasa Integration plugin for WordPress up to version 1.0.3, inclusive.", "description_and_impact": "The Vchasno Kasa WordPress plugin contains a missing capability check in the mrkv_vchasno_kasa_wc_do_metabox_action() function. This flaw allows any visitor, even one who is not logged in, to request the creation of invoices for any order. As a result, attackers could generate fraudulent invoices, potentially leading to financial losses or the exposure of confidential order information.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate impact, while the EPSS score is reported as below 1\u202f%, suggesting a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog, further indicating that it is not widely exploited in the wild. Attackers can exploit the weakness remotely by sending crafted requests to the plugin\u2019s endpoint, as the missing authorization check is performed server\u2011side."}}}}, "created": "2025-07-21T15:17:00.048716+00:00", "updated": "2026-04-21T04:00:10.060657+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}