{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68003", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:00:49.129Z", "datePublished": "2026-01-22T16:51:59.522Z", "dateUpdated": "2026-04-28T16:14:25.698Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "shown-connector", "product": "Shown Connector", "vendor": "renatoatshown", "versions": [{"lessThanOrEqual": "1.2.10", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:21:22.399Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in renatoatshown Shown Connector shown-connector allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Shown Connector: from n/a through <= 1.2.10.</p>"}], "value": "Missing Authorization vulnerability in renatoatshown Shown Connector shown-connector allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Shown Connector: from n/a through <= 1.2.10."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:25.698Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/shown-connector/vulnerability/wordpress-shown-connector-plugin-1-2-10-settings-change-vulnerability?_s_id=cve"}], "title": "WordPress Shown Connector plugin <= 1.2.10 - Settings Change vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-29T17:14:51.497823Z", "id": "CVE-2025-68003", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T18:26:12.585Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-68003", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-29T17:14:51.497823Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-29T17:14:46.736Z"}}], "cna": {"title": "WordPress Shown Connector plugin <= 1.2.10 - Settings Change vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "renatoatshown", "product": "Shown Connector", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.2.10"}], "packageName": "shown-connector", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:21:22.399Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/shown-connector/vulnerability/wordpress-shown-connector-plugin-1-2-10-settings-change-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in renatoatshown Shown Connector shown-connector allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Shown Connector: from n/a through <= 1.2.10.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in renatoatshown Shown Connector shown-connector allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Shown Connector: from n/a through <= 1.2.10.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:13:55.677Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68003", "state": "PUBLISHED", "dateUpdated": "2026-04-27T18:26:12.585Z", "dateReserved": "2025-12-15T10:00:49.129Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-22T16:51:59.522Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in renatoatshown Shown Connector shown-connector allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Shown Connector: from n/a through <= 1.2.10."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en renatoatshown Shown Connector shown-connector permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Shown Connector: desde n/a hasta &lt;= 1.2.10."}], "id": "CVE-2025-68003", "lastModified": "2026-04-27T19:16:21.260", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-22T17:16:06.600", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/shown-connector/vulnerability/wordpress-shown-connector-plugin-1-2-10-settings-change-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T09:56:43.147215+00:00", "value": {"mitigation_remediation": ["Update Shown Connector plugin to a version newer than 1.2.10", "If an update is not possible, remove or disable the plugin and restrict access to its settings page for administrator\u2011only users", "Review user roles and enforce least\u2011privilege policies to ensure that only authorized personnel can modify plugin settings"], "summary": {"action": "Patch", "impact": "Unauthorized settings changes through missing authorization"}, "threat_synthesis": {"affected_systems": "Any WordPress installation using Shown Connector version 1.2.10 or earlier is vulnerable. The description does not specify which WordPress core versions are impacted, so it is inferred that all installations with the vulnerable plugin version are at risk, regardless of the underlying WordPress version. The issue does not affect later plugin versions and is specific to the plugin itself rather than the core or server environment.", "description_and_impact": "RenatoAtShwon's Shown Connector plugin suffers from a missing authorization flaw that permits attackers to alter plugin configuration settings. The vulnerability, identified as CWE-862, enables an actor who can reach the plugin\u2019s settings interface to modify options that influence the plugin\u2019s behavior on a WordPress site. Based on the description, it is inferred that the attacker must have some level of access to reach the settings page and that the attack likely involves authenticated or privileged users, although an exposed front\u2011end could broaden the vector. Such unauthorized changes can lead to misconfiguration, potential escalation of privileges, or a foundation for additional attacks, affecting the integrity of the site\u2019s functionality.", "risk_and_exploitability": "The CVSS score of 6.5 places the flaw in the medium severity range, while an EPSS score of less than 1% indicates a low probability of exploitation at this time. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation likely requires access to the plugin\u2019s settings page, typically available only to authenticated users with appropriate privileges. Based on the description, it is inferred that the attacker must first reach this page, and that if the plugin is unintentionally exposed through the front\u2011end or if site misconfigurations allow broad access, the attack vector widens, but some level of authentication remains a prerequisite."}}}}, "created": "2026-01-23T16:30:40.628024+00:00", "updated": "2026-04-28T10:00:06.505832+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}