{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68020", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:00:59.033Z", "datePublished": "2026-01-22T16:52:04.392Z", "dateUpdated": "2026-04-28T16:14:26.513Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "notifier", "product": "Notifier", "vendor": "WANotifier", "versions": [{"changes": [{"at": "3.0.0", "status": "unaffected"}], "lessThanOrEqual": "2.7.13", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:21:20.699Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in WANotifier Notifier notifier allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Notifier: from n/a through <= 2.7.13.</p>"}], "value": "Missing Authorization vulnerability in WANotifier Notifier notifier allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Notifier: from n/a through <= 2.7.13."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:26.513Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/notifier/vulnerability/wordpress-wanotifier-plugin-2-7-12-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Notifier plugin <= 2.7.13 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-28T20:39:07.894467Z", "id": "CVE-2025-68020", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T18:27:29.105Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-68020", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-28T20:39:07.894467Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T20:38:57.069Z"}}], "cna": {"title": "WordPress Notifier plugin <= 2.7.13 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "WANotifier", "product": "Notifier", "versions": [{"status": "affected", "changes": [{"at": "3.0.0", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "2.7.13"}], "packageName": "notifier", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:21:20.699Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/notifier/vulnerability/wordpress-wanotifier-plugin-2-7-12-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in WANotifier Notifier notifier allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Notifier: from n/a through <= 2.7.13.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in WANotifier Notifier notifier allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Notifier: from n/a through <= 2.7.13.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:13:55.617Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68020", "state": "PUBLISHED", "dateUpdated": "2026-04-27T18:27:29.105Z", "dateReserved": "2025-12-15T10:00:59.033Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-22T16:52:04.392Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in WANotifier Notifier notifier allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Notifier: from n/a through <= 2.7.13."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en el notificador WANotifier WANotifier permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a WANotifier: desde n/a hasta &lt;= 2.7.12."}], "id": "CVE-2025-68020", "lastModified": "2026-04-27T19:16:22.047", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-22T17:16:08.480", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/notifier/vulnerability/wordpress-wanotifier-plugin-2-7-12-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-27T21:22:09.091440+00:00", "value": {"mitigation_remediation": ["Upgrade the Notifier plugin to any release newer than version 2.7.13.", "If upgrading is not possible, deactivate the plugin or restrict its use to trusted administrators only.", "Review and tighten WordPress role capabilities to ensure that no unauthorized users can invoke the plugin functions."], "summary": {"action": "Patch Immediately", "impact": "Broken Access Control"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WANotifier Notifier WordPress plugin, version 2.7.13 and all earlier releases. No other vendors or products are listed as impacted.", "description_and_impact": "This issue manifests as a missing authorization check in the WANotifier Notifier WordPress plugin. Because the plugin fails to verify that a caller has sufficient privileges, an attacker could trigger actions or view data that should be restricted to authenticated administrators. The root weakness is a CWE\u2011862 Missing Authorization defect, meaning access controls are not enforced properly.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate severity overall. The EPSS score of <1% suggests that, at present, the probability of exploitation observed in the wild is quite low, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, because the plugin operates within a web application environment, an attacker could access the vulnerable functions remotely if proper authentication is bypassed; the exact attack vector is not specified in the advisory, but it is inferred that remote exploitation via the WordPress interface would be the likely path."}}}}, "created": "2026-01-23T16:30:44.313346+00:00", "updated": "2026-04-27T21:30:13.884860+00:00", "vendors": ["wanotifier", "wanotifier$PRODUCT$wanotifier", "wordpress", "wordpress$PRODUCT$wordpress"]}