{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25036", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:52:08.058Z", "datePublished": "2026-02-03T14:08:41.927Z", "dateUpdated": "2026-04-28T16:14:54.268Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "content-protector", "product": "Passster", "vendor": "WP Chill", "versions": [{"changes": [{"at": "4.2.26", "status": "unaffected"}], "lessThanOrEqual": "4.2.25", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "johska | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:32.069Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in WP Chill Passster content-protector allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Passster: from n/a through <= 4.2.25.</p>"}], "value": "Missing Authorization vulnerability in WP Chill Passster content-protector allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Passster: from n/a through <= 4.2.25."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:54.268Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/content-protector/vulnerability/wordpress-passster-plugin-4-2-25-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Passster plugin <= 4.2.25 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-12T14:07:30.696312Z", "id": "CVE-2026-25036", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T12:51:36.083Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25036", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-12T14:07:30.696312Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-12T14:07:20.749Z"}}], "cna": {"title": "WordPress Passster plugin <= 4.2.25 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "johska | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "WP Chill", "product": "Passster", "versions": [{"status": "affected", "changes": [{"at": "4.2.26", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "4.2.25"}], "packageName": "content-protector", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:05:32.069Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/content-protector/vulnerability/wordpress-passster-plugin-4-2-25-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in WP Chill Passster content-protector allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Passster: from n/a through <= 4.2.25.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in WP Chill Passster content-protector allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Passster: from n/a through <= 4.2.25.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:54.268Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25036", "state": "PUBLISHED", "dateUpdated": "2026-04-28T16:14:54.268Z", "dateReserved": "2026-01-28T09:52:08.058Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-03T14:08:41.927Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in WP Chill Passster content-protector allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Passster: from n/a through <= 4.2.25."}, {"lang": "es", "value": "Vulnerabilidad por falta de autorizaci\u00f3n en el protector de contenido WP Chill Passster permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Passster: desde n/a hasta &lt;= 4.2.25."}], "id": "CVE-2026-25036", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-03T15:16:21.293", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/content-protector/vulnerability/wordpress-passster-plugin-4-2-25-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T07:00:44.310353+00:00", "value": {"mitigation_remediation": ["Verify the currently installed Passster version; if it is 4.2.25 or earlier, contact the vendor to confirm a fix or await an update that addresses the access control flaw", "Review the plugin\u2019s access level settings to ensure no content is assigned a too\u2011low restriction level", "Audit protected content listings and user roles to confirm that only authorized users can view sensitive posts"], "summary": {"action": "Immediate Patch", "impact": "Unauthorized access to protected content due to missing authorization"}, "threat_synthesis": {"affected_systems": "WordPress plugin Passster developed by WP Chill (content\u2011protector) is affected from the earliest releases through version 4.2.25. Any site using Passster up to and including 4.2.25 is vulnerable and should be treated as impacted.", "description_and_impact": "The vulnerability is a missing authorization flaw that allows users to access content that should otherwise be restricted. The weakness stemmed from incorrectly configured access control security levels, enabling the bypass of intended content protection. The flaw can be exploited to read or view protected information, potentially exposing confidential user data or sensitive material present on the site, and is classified as a CWE-862 Broken Access Control.", "risk_and_exploitability": "The CVSS score of 6.5 indicates medium severity, while the EPSS score of less than 1% indicates a low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, via the web interface, because the flaw resides in the web\u2011based access control configuration of the plugin. An attacker with exposure to the site and knowledge of the configuration could craft requests to bypass access restrictions and retrieve protected content."}}}}, "created": "2026-02-04T12:09:02.488874+00:00", "updated": "2026-04-16T07:15:28.166694+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpchill", "wpchill$PRODUCT$passster"]}