{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-67994", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:00:44.501Z", "datePublished": "2026-02-20T15:46:32.934Z", "dateUpdated": "2026-04-28T16:14:25.529Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "yaycurrency", "product": "YayCurrency", "vendor": "YayCommerce", "versions": [{"changes": [{"at": "3.3.1", "status": "unaffected"}], "lessThanOrEqual": "3.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Denver Jackson | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:25.038Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in YayCommerce YayCurrency yaycurrency allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects YayCurrency: from n/a through <= 3.3.</p>"}], "value": "Missing Authorization vulnerability in YayCommerce YayCurrency yaycurrency allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects YayCurrency: from n/a through <= 3.3."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:25.529Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/yaycurrency/vulnerability/wordpress-yaycurrency-plugin-3-3-arbitrary-content-deletion-vulnerability?_s_id=cve"}], "title": "WordPress YayCurrency plugin <= 3.3 - Arbitrary Content Deletion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-25T20:41:29.052187Z", "id": "CVE-2025-67994", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T18:10:46.401Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-67994", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-25T20:41:29.052187Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T20:40:30.212Z"}}], "cna": {"title": "WordPress YayCurrency plugin <= 3.3 - Arbitrary Content Deletion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Denver Jackson | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "YayCommerce", "product": "YayCurrency", "versions": [{"status": "affected", "changes": [{"at": "3.3.1", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "3.3"}], "packageName": "yaycurrency", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:20:25.038Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/yaycurrency/vulnerability/wordpress-yaycurrency-plugin-3-3-arbitrary-content-deletion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in YayCommerce YayCurrency yaycurrency allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects YayCurrency: from n/a through <= 3.3.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in YayCommerce YayCurrency yaycurrency allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects YayCurrency: from n/a through <= 3.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:13:55.353Z"}}}, "cveMetadata": {"cveId": "CVE-2025-67994", "state": "PUBLISHED", "dateUpdated": "2026-04-27T18:10:46.401Z", "dateReserved": "2025-12-15T10:00:44.501Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-20T15:46:32.934Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in YayCommerce YayCurrency yaycurrency allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects YayCurrency: from n/a through <= 3.3."}, {"lang": "es", "value": "Vulnerabilidad por falta de autorizaci\u00f3n en YayCommerce YayCurrency yaycurrency permite la explotaci\u00f3n de niveles de seguridad de control de acceso mal configurados. Este problema afecta a YayCurrency: desde n/a hasta &lt;= 3.3."}], "id": "CVE-2025-67994", "lastModified": "2026-04-27T18:16:52.910", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-02-20T16:22:05.637", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/yaycurrency/vulnerability/wordpress-yaycurrency-plugin-3-3-arbitrary-content-deletion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.3]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[3.3.1,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "YayCurrency", "source": "cna", "vendor": "YayCommerce"}, "product": "yaycurrency", "vendor": "yaycommerce"}], "analysis": {"en": {"generated_at": "2026-04-27T20:52:51.800842+00:00", "value": {"mitigation_remediation": ["Upgrade the YayCurrency plugin to version 3.4 or later, which resolves the missing authorization check.", "If an upgrade is delayed, deactivate the plugin entirely until a patch is available.", "Review WordPress role and capability settings to ensure that deletion permissions are granted only to trusted administrators and that default users cannot delete content."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary content deletion due to missing authorization"}, "threat_synthesis": {"affected_systems": "The flaw affects the YayCurrency plugin for WordPress, developed by YayCommerce. Versions from the earliest available through 3.3 are vulnerable; any WordPress installation using the plugin in these versions is at risk.", "description_and_impact": "The vulnerability is a Missing Authorization flaw that allows an attacker to delete arbitrary content such as posts, pages, or media items. Because deletion is performed without proper role checks, a user with any authenticated presence can remove valuable data, leading to loss of integrity and potentially to a denial of service if critical content is wiped. The impact is limited to the data available through the plugin and does not provide broader system compromise, but the loss of content can be business\u2011disruptive and difficult to recover.", "risk_and_exploitability": "With a CVSS score of 7.5 the vulnerability is categorized as high severity. The EPSS score of < 1% indicates that exploitation is currently considered unlikely, but the presence of the flaw means an attacker who can gain any authenticated session or who can exploit a misconfigured role can execute the deletion without special prerequisites. Since the vulnerability is not listed in CISA\u2019s KEV catalog, no known widespread exploitation activity has been reported. The likely attack vector is remote, via crafted HTTP requests to deletion endpoints that the plugin incorrectly authorizes."}}}}, "created": "2026-02-23T14:46:03.561664+00:00", "updated": "2026-04-27T21:00:13.163357+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "yaycommerce", "yaycommerce$PRODUCT$yaycurrency"]}