{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68036", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:01:03.747Z", "datePublished": "2025-12-29T23:26:17.386Z", "dateUpdated": "2026-04-28T16:14:27.295Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "cubewp-framework", "product": "CubeWP", "vendor": "Imran Tauqeer", "versions": [{"changes": [{"at": "1.1.28", "status": "unaffected"}], "lessThanOrEqual": "1.1.27", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "MD ISMAIL | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:43:55.893Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Imran Tauqeer CubeWP cubewp-framework allows Accessing Functionality Not Properly Constrained by ACLs.<p>This issue affects CubeWP: from n/a through <= 1.1.27.</p>"}], "value": "Missing Authorization vulnerability in Imran Tauqeer CubeWP cubewp-framework allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects CubeWP: from n/a through <= 1.1.27."}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "Accessing Functionality Not Properly Constrained by ACLs"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:27.295Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/cubewp-framework/vulnerability/wordpress-cubewp-plugin-1-1-27-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress CubeWP plugin <= 1.1.27 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-30T15:54:12.150350Z", "id": "CVE-2025-68036", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-30T15:54:23.634Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-68036", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-12-30T15:54:12.150350Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-30T15:54:18.512Z"}}], "cna": {"tags": ["x_open-source"], "title": "WordPress CubeWP plugin <= 1.1.27 - Broken Access Control vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "MD ISMAIL | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Emraan Cheema", "product": "CubeWP", "versions": [{"status": "affected", "changes": [{"at": "1.1.28", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "1.1.27"}], "packageName": "cubewp-framework", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update the WordPress CubeWP plugin to the latest available version (at least 1.1.28).", "supportingMedia": [{"type": "text/html", "value": "Update the WordPress CubeWP plugin to the latest available version (at least 1.1.28).", "base64": false}]}], "references": [{"url": "https://vdp.patchstack.com/database/wordpress/plugin/cubewp-framework/vulnerability/wordpress-cubewp-plugin-1-1-27-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Emraan Cheema CubeWP allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects CubeWP: from n/a through 1.1.27.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Emraan Cheema CubeWP allows Accessing Functionality Not Properly Constrained by ACLs.<p>This issue affects CubeWP: from n/a through 1.1.27.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2025-12-29T23:26:17.386Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68036", "state": "PUBLISHED", "dateUpdated": "2025-12-30T15:54:23.634Z", "dateReserved": "2025-12-15T10:01:03.747Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2025-12-29T23:26:17.386Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Imran Tauqeer CubeWP cubewp-framework allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects CubeWP: from n/a through <= 1.1.27."}], "id": "CVE-2025-68036", "lastModified": "2026-04-23T15:35:51.740", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2025-12-30T00:15:52.047", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/cubewp-framework/vulnerability/wordpress-cubewp-plugin-1-1-27-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T18:25:36.048466+00:00", "value": {"mitigation_remediation": ["Upgrade CubeWP to a version newer than 1.1.27 where the missing authorization checks are implemented.", "If the plugin is not essential for site functionality, deactivate or uninstall CubeWP to eliminate the vulnerable code path.", "Verify and restrict WordPress role permissions, ensuring that only trusted administrators can access privileged plugin endpoints."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "Imran Tauqeer CubeWP for WordPress, any installation of version 1.1.27 or earlier, is affected. The issue applies to all WordPress sites that have this plugin deployed, regardless of the user role management set up by the site owner.", "description_and_impact": "The CubeWP WordPress plugin suffers from a missing authorization flaw that exposes privileged functions without the necessary ACL checks. This weakness, identified as CWE\u2011862, permits an attacker to invoke actions that should be restricted, potentially leading to unauthorized data access, modification, or configuration changes. The vulnerability exists in all releases up to and including version 1.1.27. ", "risk_and_exploitability": "The CVSS score of 7.5 marks the vulnerability as high severity. The EPSS score of less than 1% indicates a low probability of exploitation, and the issue is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector would involve accessing the plugin\u2019s specific endpoints through the WordPress administration interface or possibly via crafted requests that bypass normal role checks, allowing an attacker with limited credentials or even no credentials to call the vulnerable functions."}}}}, "created": "2026-01-05T12:25:29.523260+00:00", "updated": "2026-04-28T18:30:37.339939+00:00", "vendors": ["emraan_cheema", "emraan_cheema$PRODUCT$cubewp", "wordpress", "wordpress$PRODUCT$wordpress"]}