{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25000", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:57.103Z", "datePublished": "2026-02-19T08:26:51.332Z", "dateUpdated": "2026-04-28T16:14:52.865Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wheel-of-life", "product": "Wheel of Life", "vendor": "Kraft Plugins", "versions": [{"changes": [{"at": "1.2.1", "status": "unaffected"}], "lessThanOrEqual": "1.2.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:02.734Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Kraft Plugins Wheel of Life wheel-of-life allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Wheel of Life: from n/a through <= 1.2.0.</p>"}], "value": "Missing Authorization vulnerability in Kraft Plugins Wheel of Life wheel-of-life allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wheel of Life: from n/a through <= 1.2.0."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:52.865Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wheel-of-life/vulnerability/wordpress-wheel-of-life-plugin-1-2-0-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Wheel of Life plugin <= 1.2.0 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T21:42:25.190786Z", "id": "CVE-2026-25000", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T12:43:25.648Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25000", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:57.103Z", "datePublished": "2026-02-19T08:26:51.332Z", "dateUpdated": "2026-04-28T12:43:25.648Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wheel-of-life", "product": "Wheel of Life", "vendor": "Kraft Plugins", "versions": [{"changes": [{"at": "1.2.1", "status": "unaffected"}], "lessThanOrEqual": "1.2.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-28T13:26:34.747Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Kraft Plugins Wheel of Life wheel-of-life allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Wheel of Life: from n/a through <= 1.2.0.</p>"}], "value": "Missing Authorization vulnerability in Kraft Plugins Wheel of Life wheel-of-life allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wheel of Life: from n/a through <= 1.2.0."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:48.299Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wheel-of-life/vulnerability/wordpress-wheel-of-life-plugin-1-2-0-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Wheel of Life plugin <= 1.2.0 - Broken Access Control vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25000", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T21:42:25.190786Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T21:42:55.862Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Kraft Plugins Wheel of Life wheel-of-life allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wheel of Life: from n/a through <= 1.2.0."}, {"lang": "es", "value": "Vulnerabilidad por falta de autorizaci\u00f3n en Kraft Plugins Wheel of Life wheel-of-life permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Wheel of Life: desde n/a hasta &lt;= 1.2.0."}], "id": "CVE-2026-25000", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T09:16:13.927", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wheel-of-life/vulnerability/wordpress-wheel-of-life-plugin-1-2-0-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.0]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[1.2.1,*]"}}], "enrichment": {"confidence": 98.0, "confidence_source": "matching", "scores": [{"score": 98.0, "source": "matching"}]}, "original": {"product": "Wheel of Life", "source": "cna", "vendor": "Kraft Plugins"}, "product": "wheel_of_life", "vendor": "kraftplugins"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T00:36:16.177851+00:00", "value": {"mitigation_remediation": ["Upgrade the Wheel of Life plugin to a version newer than 1.2.0 to apply the vendor fix.", "If an immediate update is not possible, restrict access to the plugin\u2019s administrative functionality by enforcing stricter WordPress role permissions or using a role\u2011based access control solution.", "Validate that no other plugins on the site contain similar missing authorization weaknesses by conducting a periodic audit of all installed plugins."], "summary": {"action": "Patch", "impact": "Authorization Bypass via Broken Access Control"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed Kraft Plugins Wheel of Life version 1.2.0 or earlier are impacted. The vulnerability does not affect newer releases beyond 1.2.0, but any site still running the affected plugin version remains at risk.", "description_and_impact": "The vulnerability in the Wheel of Life WordPress plugin stems from a missing authorization check, allowing users to trigger privileged functions without proper verification. This flaw leads to an authorization bypass, enabling attackers to elevate privileges within the plugin, potentially exposing sensitive configuration or manipulating plugin data. The weakness is classified as CWE\u2011862, reflecting a failure to enforce adequate access control.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity, while the EPSS value of less than 1% suggests a very low probability of exploitation in the wild. The vulnerability is not currently listed in CISA\u2019s KEV catalog. Because the flaw requires access to a request that is not properly authorized, the attack vector is likely local to users who can reach the plugin\u2019s administration interface, however the exact prerequisites are not fully detailed in the available description."}}}}, "created": "2026-02-20T10:11:11.123042+00:00", "updated": "2026-04-16T00:45:15.965157+00:00", "vendors": ["kraftplugins", "kraftplugins$PRODUCT$wheel_of_life", "wordpress", "wordpress$PRODUCT$wordpress"]}