{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25311", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:20:39.016Z", "datePublished": "2026-02-19T08:26:53.773Z", "dateUpdated": "2026-04-28T16:14:54.725Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "autoshare-for-twitter", "product": "Autoshare for Twitter", "vendor": "10up", "versions": [{"changes": [{"at": "2.3.2", "status": "unaffected"}], "lessThanOrEqual": "2.3.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:02.777Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in 10up Autoshare for Twitter autoshare-for-twitter allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Autoshare for Twitter: from n/a through <= 2.3.1.</p>"}], "value": "Missing Authorization vulnerability in 10up Autoshare for Twitter autoshare-for-twitter allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Autoshare for Twitter: from n/a through <= 2.3.1."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:54.725Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/autoshare-for-twitter/vulnerability/wordpress-autoshare-for-twitter-plugin-2-3-1-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Autoshare for Twitter plugin <= 2.3.1 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T21:38:23.532168Z", "id": "CVE-2026-25311", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T12:53:59.061Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25311", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T21:38:23.532168Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T21:38:14.306Z"}}], "cna": {"title": "WordPress Autoshare for Twitter plugin <= 2.3.1 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "10up", "product": "Autoshare for Twitter", "versions": [{"status": "affected", "changes": [{"at": "2.3.2", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "2.3.1"}], "packageName": "autoshare-for-twitter", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-28T13:26:39.151Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/autoshare-for-twitter/vulnerability/wordpress-autoshare-for-twitter-plugin-2-3-1-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in 10up Autoshare for Twitter autoshare-for-twitter allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Autoshare for Twitter: from n/a through <= 2.3.1.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in 10up Autoshare for Twitter autoshare-for-twitter allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Autoshare for Twitter: from n/a through <= 2.3.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:48.769Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25311", "state": "PUBLISHED", "dateUpdated": "2026-04-28T12:53:59.061Z", "dateReserved": "2026-02-02T12:20:39.016Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-19T08:26:53.773Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in 10up Autoshare for Twitter autoshare-for-twitter allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Autoshare for Twitter: from n/a through <= 2.3.1."}, {"lang": "es", "value": "Vulnerabilidad de Autorizaci\u00f3n Faltante en 10up Autoshare para Twitter autoshare-for-twitter permite Explotar Niveles de Seguridad de Control de Acceso Incorrectamente Configurados. Este problema afecta a Autoshare para Twitter: desde n/a hasta &lt;= 2.3.1."}], "id": "CVE-2026-25311", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T09:16:15.343", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/autoshare-for-twitter/vulnerability/wordpress-autoshare-for-twitter-plugin-2-3-1-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.3.1]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[2.3.2,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Autoshare for Twitter", "source": "cna", "vendor": "10up"}, "product": "autoshare_for_twitter", "vendor": "10up"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T00:33:16.111026+00:00", "value": {"mitigation_remediation": ["Upgrade the Autoshare for Twitter plugin to the latest version that removes the authorization error (any release newer than 2.3.1).", "If an immediate upgrade is not possible, disable the plugin or restrict its functionality using a role\u2011based access control plugin to prevent unauthenticated or low\u2011privilege users from managing social\u2011media settings. ", "Audit WordPress user roles to ensure only trusted administrators have the ability to modify plugin settings, and consider revoking unnecessary capabilities for other roles."], "summary": {"action": "Patch immediately", "impact": "Unauthorized access to restricted plugin functionality"}, "threat_synthesis": {"affected_systems": "The weakness affects the 10up Autoshare for Twitter WordPress plugin for all installed versions up to and including 2.3.1. Any site running a vulnerable version of this plugin is susceptible.", "description_and_impact": "The vulnerability arises from a missing authorization check in the Autoshare for Twitter plugin, allowing an attacker to bypass normal role\u2011based controls. The flaw is classified as a broken access control weakness (CWE\u2011862). Without proper authentication enforcement, an attacker could potentially manipulate tweet schedules, edit settings, or perform other privileged actions. This puts the confidentiality and integrity of the site\u2019s social media configuration at risk.", "risk_and_exploitability": "The Common Vulnerability Scoring System assigns a CVSS score of 5.4, indicating moderate severity. The Exploit Prediction Severity Score is below 1\u202f%, showing a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA\u2019s Known Exploited Vulnerabilities catalog. Attackers would need to interact with the WordPress site\u2019s plugin administration interface and likely benefit from a user with limited privileges or an unauthenticated vulnerable endpoint; the exact attack vector is inferred from the description of a missing authorization check."}}}}, "created": "2026-02-20T10:09:10.125583+00:00", "updated": "2026-04-16T00:45:15.962361+00:00", "vendors": ["10up", "10up$PRODUCT$autoshare_for_twitter", "wordpress", "wordpress$PRODUCT$wordpress"]}