{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68058", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:01:11.955Z", "datePublished": "2026-01-22T16:52:06.554Z", "dateUpdated": "2026-04-28T16:14:27.820Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "institutions-directory", "product": "Institutions Directory", "vendor": "e-plugins", "versions": [{"lessThanOrEqual": "1.3..4", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:22:00.305Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in e-plugins Institutions Directory institutions-directory allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Institutions Directory: from n/a through <= 1.3..4.</p>"}], "value": "Missing Authorization vulnerability in e-plugins Institutions Directory institutions-directory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Institutions Directory: from n/a through <= 1.3..4."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:27.820Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/institutions-directory/vulnerability/wordpress-institutions-directory-plugin-1-3-4-broken-access-control-vulnerability-2?_s_id=cve"}], "title": "WordPress Institutions Directory plugin <= 1.3..4 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-28T16:58:36.132486Z", "id": "CVE-2025-68058", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T18:31:23.714Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-68058", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-28T16:58:36.132486Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T16:58:29.912Z"}}], "cna": {"title": "WordPress Institutions Directory plugin <= 1.3..4 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "e-plugins", "product": "Institutions Directory", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.3..4"}], "packageName": "institutions-directory", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:22:00.305Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/institutions-directory/vulnerability/wordpress-institutions-directory-plugin-1-3-4-broken-access-control-vulnerability-2?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in e-plugins Institutions Directory institutions-directory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Institutions Directory: from n/a through <= 1.3..4.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in e-plugins Institutions Directory institutions-directory allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Institutions Directory: from n/a through <= 1.3..4.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:27.820Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68058", "state": "PUBLISHED", "dateUpdated": "2026-04-28T16:14:27.820Z", "dateReserved": "2025-12-15T10:01:11.955Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-22T16:52:06.554Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in e-plugins Institutions Directory institutions-directory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Institutions Directory: from n/a through <= 1.3..4."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en e-plugins Institutions Directory institutions-directory permite explotar niveles de seguridad de control de acceso mal configurados. Este problema afecta a Institutions Directory: desde n/a hasta &lt;= 1.3..4."}], "id": "CVE-2025-68058", "lastModified": "2026-04-27T19:16:24.040", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-22T17:16:09.743", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/institutions-directory/vulnerability/wordpress-institutions-directory-plugin-1-3-4-broken-access-control-vulnerability-2?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T09:51:36.146918+00:00", "value": {"mitigation_remediation": ["Upgrade the Institutions Directory plugin to version 1.3.5 or later.", "If an upgrade is not immediately possible, disable or uninstall the plugin to eliminate the attack surface.", "Ensure that any custom code or integrations enforce role\u2011based access checks consistent with WordPress\u2019s capabilities before invoking plugin functionality."], "summary": {"action": "Patch", "impact": "Privilege Escalation via Broken Access Control"}, "threat_synthesis": {"affected_systems": "The issue affects e\u2011plugins Institutions Directory plugin from unspecified minimum versions up through 1.3.4. Based on the plugin\u2019s name and typical usage, it is inferred that this plugin operates within a WordPress site, so administrators should verify that any installations of the plugin in that version range are affected.", "description_and_impact": "The flaw is a missing authorization vulnerability that allows an attacker to exploit incorrectly configured access control security levels. This deficiency, classified as CWE-862, lets unauthenticated or low\u2011privilege users perform actions reserved for higher\u2011privileged roles, potentially modifying or deleting data and compromising the integrity and availability of the affected system.", "risk_and_exploitability": "With a CVSS score of 7.6, the vulnerability is considered high severity. The EPSS score of < 1% indicates that exploitation is currently uncommon, and the vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector is via HTTP requests to the plugin\u2019s endpoints, and it would require bypassing normal WordPress authentication controls. Attackers could then elevate privileges within the plugin\u2019s scope to perform unauthorized actions."}}}}, "created": "2026-01-23T16:29:21.213340+00:00", "updated": "2026-04-28T10:00:06.493892+00:00", "vendors": ["e-plugins", "e-plugins$PRODUCT$institutions_directory", "wordpress", "wordpress$PRODUCT$wordpress"]}