{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25003", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:57.104Z", "datePublished": "2026-02-19T08:26:51.515Z", "dateUpdated": "2026-04-28T16:14:53.181Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "client-portal", "product": "Client Portal", "vendor": "madalin.ungureanu", "versions": [{"changes": [{"at": "1.2.2", "status": "unaffected"}], "lessThanOrEqual": "1.2.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:04.738Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in madalin.ungureanu Client Portal client-portal allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Client Portal: from n/a through <= 1.2.1.</p>"}], "value": "Missing Authorization vulnerability in madalin.ungureanu Client Portal client-portal allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Portal: from n/a through <= 1.2.1."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:53.181Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/client-portal/vulnerability/wordpress-client-portal-plugin-1-2-1-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Client Portal plugin <= 1.2.1 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T21:09:55.654485Z", "id": "CVE-2026-25003", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T12:43:55.889Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25003", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:57.104Z", "datePublished": "2026-02-19T08:26:51.515Z", "dateUpdated": "2026-04-28T12:43:55.889Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "client-portal", "product": "Client Portal", "vendor": "madalin.ungureanu", "versions": [{"changes": [{"at": "1.2.2", "status": "unaffected"}], "lessThanOrEqual": "1.2.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-28T13:26:34.964Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in madalin.ungureanu Client Portal client-portal allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Client Portal: from n/a through <= 1.2.1.</p>"}], "value": "Missing Authorization vulnerability in madalin.ungureanu Client Portal client-portal allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Portal: from n/a through <= 1.2.1."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:48.273Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/client-portal/vulnerability/wordpress-client-portal-plugin-1-2-1-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Client Portal plugin <= 1.2.1 - Broken Access Control vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25003", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T21:09:55.654485Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T21:08:48.544Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in madalin.ungureanu Client Portal client-portal allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Portal: from n/a through <= 1.2.1."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en madalin.ungureanu Client Portal client-portal permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Client Portal: desde n/a hasta &lt;= 1.2.1."}], "id": "CVE-2026-25003", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T09:16:14.067", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/client-portal/vulnerability/wordpress-client-portal-plugin-1-2-1-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.1]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[1.2.2,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Client Portal", "source": "cna", "vendor": "madalin.ungureanu"}, "product": "client_portal", "vendor": "madalin.ungureanu"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T00:35:58.507262+00:00", "value": {"mitigation_remediation": ["Upgrade the Client Portal plugin to the latest version, which resolves the broken access control issue.", "If an upgrade cannot be performed immediately, temporarily deactivate the plugin to remove the exploitation surface.", "While the plugin remains in use, restrict external access to the WordPress admin panel through IP whitelisting and monitor login attempts for suspicious activity."], "summary": {"action": "Patch", "impact": "Unauthorized Access to restricted functions and data"}, "threat_synthesis": {"affected_systems": "All deployments of the madalin.ungureanu Client Portal plugin for WordPress affected are versions from any prior release through version 1.2.1. Users running those versions must assess their current installation and plan for remediation.", "description_and_impact": "The Client Portal plugin for WordPress contains a missing authorization flaw that allows attackers to bypass access controls and reach features normally restricted to privileged users. This issue stems from improper checks on permission levels and is classified as CWE-862. Because the plugin does not enforce sufficient authentication or role validation, an adversary can send crafted HTTP requests to plugin endpoints and trigger functions reserved for administrators.", "risk_and_exploitability": "The CVSS score is 4.3, indicating a moderate impact if successful. The EPSS score is less than 1%, suggesting a low current exploitation probability. This vulnerability is not listed in CISA\u2019s KEV catalog, so no public exploitation is documented. Likely attack vectors involve remote requests via the WordPress web interface to plugin URL endpoints that lack role checks. The flaw is a breach of authorization rather than an injection or buffer overflow, so an attacker would need to trigger privileged functions, but the absence of checks could allow anyone with web access to perform those actions."}}}}, "created": "2026-02-20T10:11:10.330202+00:00", "updated": "2026-04-16T00:45:15.964588+00:00", "vendors": ["madalin.ungureanu", "madalin.ungureanu$PRODUCT$client_portal", "wordpress", "wordpress$PRODUCT$wordpress"]}