{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68021", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:00:59.033Z", "datePublished": "2026-02-20T15:46:34.400Z", "dateUpdated": "2026-04-28T16:14:26.559Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "conveythis-translate", "product": "ConveyThis", "vendor": "ConveyThis", "versions": [{"lessThanOrEqual": "269.9", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "NumeX | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:24.381Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in ConveyThis ConveyThis conveythis-translate allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects ConveyThis: from n/a through <= 269.9.</p>"}], "value": "Missing Authorization vulnerability in ConveyThis ConveyThis conveythis-translate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ConveyThis: from n/a through <= 269.9."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:26.559Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/conveythis-translate/vulnerability/wordpress-conveythis-plugin-268-10-broken-access-control-vulnerability-2?_s_id=cve"}], "title": "WordPress ConveyThis plugin <= 269.9 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-25T20:09:41.840254Z", "id": "CVE-2025-68021", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T18:27:41.253Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-68021", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-25T20:09:41.840254Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T20:08:31.998Z"}}], "cna": {"title": "WordPress ConveyThis plugin <= 269.9 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "NumeX | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "ConveyThis", "product": "ConveyThis", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "269.9"}], "packageName": "conveythis-translate", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:20:24.381Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/conveythis-translate/vulnerability/wordpress-conveythis-plugin-268-10-broken-access-control-vulnerability-2?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in ConveyThis ConveyThis conveythis-translate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ConveyThis: from n/a through <= 269.9.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in ConveyThis ConveyThis conveythis-translate allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects ConveyThis: from n/a through <= 269.9.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:13:55.780Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68021", "state": "PUBLISHED", "dateUpdated": "2026-04-27T18:27:41.253Z", "dateReserved": "2025-12-15T10:00:59.033Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-20T15:46:34.400Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in ConveyThis ConveyThis conveythis-translate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ConveyThis: from n/a through <= 269.9."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en ConveyThis ConveyThis conveythis-translate permite explotar niveles de seguridad de control de acceso incorrectamente configurados. Este problema afecta a ConveyThis: desde n/a hasta &lt;= 269.5."}], "id": "CVE-2025-68021", "lastModified": "2026-04-27T19:16:22.170", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-02-20T16:22:07.110", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/conveythis-translate/vulnerability/wordpress-conveythis-plugin-268-10-broken-access-control-vulnerability-2?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,269.5]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "ConveyThis", "source": "cna", "vendor": "ConveyThis"}, "product": "conveythis", "vendor": "conveythis"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T17:40:36.963610+00:00", "value": {"mitigation_remediation": ["Upgrade the ConveyThis Translate plugin to version 270.0 or later to eliminate the broken access control flaw.", "Re\u2011evaluate user role permissions in the WordPress dashboard to ensure no non\u2011admin roles can access the plugin\u2019s restricted functions.", "If an upgrade cannot be applied immediately, delete or disable the plugin to prevent exposure until a fix can be installed."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Access via Broken Access Control"}, "threat_synthesis": {"affected_systems": "WordPress sites using the ConveyThis Translate plugin with version numbers from the initial release up to and including 269.9 are affected. All installations that have not applied a newer release\u2014270.0 or later\u2014expose the broken access control flaw. Users of older plugin versions on any WordPress environment should consider themselves at risk.", "description_and_impact": "The vulnerability is a missing authorization flaw in the ConveyThis Translate plugin for WordPress, stemming from incorrectly configured access control security levels. Because the plugin\u2019s endpoints do not enforce proper access control, a user lacking the required permissions can exploit the functionality. This flaw enables an attacker to perform actions or view data that should be restricted, potentially compromising sensitive information or executing privileged operations not intended for their user role. The weakness is a classic example of unauthorized access (CWE\u2011862).", "risk_and_exploitability": "The CVSS score of 6.5 classifies the issue as medium severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The flaw is not present in CISA\u2019s KEV catalog, indicating no known public exploit. An attacker would likely need to target an accessible endpoint exposed by the plugin; the attack vector is inferred to be through the WordPress administrative interface, leveraging an authenticated session with insufficient privileges. While exploitation is possible, the low EPSS score and lack of public exploitation reports reduce the current risk urgency, but a patch remains the recommended mitigation."}}}}, "created": "2026-02-23T14:45:53.159508+00:00", "updated": "2026-04-28T17:45:16.138689+00:00", "vendors": ["conveythis", "conveythis$PRODUCT$conveythis", "wordpress", "wordpress$PRODUCT$wordpress"]}