{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-67926", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T09:59:49.437Z", "datePublished": "2026-01-08T09:17:47.946Z", "dateUpdated": "2026-04-28T16:14:24.155Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "fluent-support", "product": "Fluent Support", "vendor": "Shahjahan Jewel", "versions": [{"changes": [{"at": "1.10.5", "status": "unaffected"}], "lessThanOrEqual": "1.10.4", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:21:54.807Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Shahjahan Jewel Fluent Support fluent-support allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Fluent Support: from n/a through <= 1.10.4.</p>"}], "value": "Missing Authorization vulnerability in Shahjahan Jewel Fluent Support fluent-support allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fluent Support: from n/a through <= 1.10.4."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:24.155Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/fluent-support/vulnerability/wordpress-fluent-support-plugin-1-10-4-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Fluent Support plugin <= 1.10.4 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T18:04:02.210701Z", "id": "CVE-2025-67926", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T18:04:05.270Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-67926", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-27T18:04:02.210701Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T14:54:50.514Z"}}], "cna": {"title": "WordPress Fluent Support plugin <= 1.10.4 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Shahjahan Jewel", "product": "Fluent Support", "versions": [{"status": "affected", "changes": [{"at": "1.10.5", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.10.4"}], "packageName": "fluent-support", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:21:54.807Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/fluent-support/vulnerability/wordpress-fluent-support-plugin-1-10-4-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Shahjahan Jewel Fluent Support fluent-support allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fluent Support: from n/a through <= 1.10.4.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Shahjahan Jewel Fluent Support fluent-support allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Fluent Support: from n/a through <= 1.10.4.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:13:54.671Z"}}}, "cveMetadata": {"cveId": "CVE-2025-67926", "state": "PUBLISHED", "dateUpdated": "2026-04-27T18:04:05.270Z", "dateReserved": "2025-12-15T09:59:49.437Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-08T09:17:47.946Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Shahjahan Jewel Fluent Support fluent-support allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fluent Support: from n/a through <= 1.10.4."}], "id": "CVE-2025-67926", "lastModified": "2026-04-27T18:16:49.730", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-08T10:15:51.620", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/fluent-support/vulnerability/wordpress-fluent-support-plugin-1-10-4-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T18:17:55.838834+00:00", "value": {"mitigation_remediation": ["Update the Fluent Support plugin to the latest version that includes the fix for the broken access control issue.", "After updating, review and tighten the plugin\u2019s role permissions to ensure only authorized users can access support ticket functionality.", "If an update is not yet available, remove or disable the plugin\u2019s administrative endpoints, or enforce stricter WordPress role restrictions to block unauthorized access to support features."], "summary": {"action": "Apply Patch Immediately", "impact": "Unauthorized Privilege Escalation"}, "threat_synthesis": {"affected_systems": "Affected systems include WordPress sites that use the Shahjahan Jewel Fluent Support plugin from any unreleased build through version\u202f1.10.4. The vulnerability applies to all installations of the plugin that have not been updated beyond this release. No specific operating system or WordPress version is mentioned in the advisory, so all WordPress environments that run the vulnerable plugin are impacted.", "description_and_impact": "A missing authorization check in the Fluent Support WordPress plugin allows an attacker to bypass intended access restrictions. The flaw arises from incorrectly configured security levels, enabling the exploitation of privilege boundaries. Attackers could potentially gain unauthorized access to support tickets, modify content, or view sensitive information that should be protected by user roles, thereby compromising confidentiality or integrity of support data.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate level of severity. The EPSS score of less than 1% suggests that, while the vulnerability exists, the likelihood of exploitation in the wild is currently low. The plugin does not appear in the CISA KEV catalog, which aligns with its low EPSS. Based on the description, the attack vector is inferred to involve authenticated users who gain access to the plugin\u2019s administrative functionality but are granted broader privileges than intended. An attacker with such access could exploit the broken access control to read or modify support tickets, thereby violating confidentiality, integrity, or availability of support data."}}}}, "created": "2026-01-09T13:25:23.416200+00:00", "updated": "2026-04-28T18:30:37.320620+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}