{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25365", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:52:55.300Z", "datePublished": "2026-03-25T16:14:45.681Z", "dateUpdated": "2026-04-28T16:14:56.821Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "kargo-takip-turkiye", "product": "Kargo Takip", "vendor": "\u00d6zg\u00fcr KARALAR", "versions": [{"changes": [{"at": "0.2.4", "status": "unaffected"}], "lessThanOrEqual": "0.2.4", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:18:25.802Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in \u00d6zg\u00fcr KARALAR Kargo Takip kargo-takip-turkiye allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Kargo Takip: from n/a through < 0.2.4.</p>"}], "value": "Missing Authorization vulnerability in \u00d6zg\u00fcr KARALAR Kargo Takip kargo-takip-turkiye allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Kargo Takip: from n/a through < 0.2.4."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:56.821Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/kargo-takip-turkiye/vulnerability/wordpress-kargo-takip-plugin-0-2-4-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Kargo Takip plugin < 0.2.4 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T16:44:30.391973Z", "id": "CVE-2026-25365", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T01:36:17.231Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25365", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T16:44:30.391973Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T16:32:14.750Z"}}], "cna": {"title": "WordPress Kargo Takip plugin < 0.2.4 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "\u00d6zg\u00fcr KARALAR", "product": "Kargo Takip", "versions": [{"status": "affected", "changes": [{"at": "0.2.4", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "0.2.4"}], "packageName": "kargo-takip-turkiye", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:18:25.802Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/kargo-takip-turkiye/vulnerability/wordpress-kargo-takip-plugin-0-2-4-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in \u00d6zg\u00fcr KARALAR Kargo Takip kargo-takip-turkiye allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Kargo Takip: from n/a through < 0.2.4.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in \u00d6zg\u00fcr KARALAR Kargo Takip kargo-takip-turkiye allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Kargo Takip: from n/a through < 0.2.4.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:56.821Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25365", "state": "PUBLISHED", "dateUpdated": "2026-04-28T16:14:56.821Z", "dateReserved": "2026-02-02T12:52:55.300Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:45.681Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in \u00d6zg\u00fcr KARALAR Kargo Takip kargo-takip-turkiye allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Kargo Takip: from n/a through < 0.2.4."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en \u00d6zg\u00fcr KARALAR Kargo Takip kargo-takip-turkiye permite explotar niveles de seguridad de control de acceso incorrectamente configurados. Este problema afecta a Kargo Takip: desde n/a hasta &lt; 0.2.4."}], "id": "CVE-2026-25365", "lastModified": "2026-04-28T02:16:05.393", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-03-25T17:16:47.420", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/kargo-takip-turkiye/vulnerability/wordpress-kargo-takip-plugin-0-2-4-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.2.4)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "0.2.4"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Kargo Takip", "source": "cna", "vendor": "\u00d6zg\u00fcr KARALAR"}, "product": "kargo_takip", "vendor": "\u00f6zg\u00fcr_karalar"}], "analysis": {"en": {"generated_at": "2026-03-26T19:07:49.292527+00:00", "value": {"mitigation_remediation": ["Update Kargo Takip to version 0.2.4 or later", "If an update is not immediately possible, restrict access to the plugin\u2019s administrative pages by assigning the least privilege role to users", "Monitor WordPress admin logs for unusual access to the plugin\u2019s URLs", "Verify that any custom role permissions do not allow actions beyond intended scopes"], "summary": {"action": "Patch Immediately", "impact": "Unauthorized Data Access"}, "threat_synthesis": {"affected_systems": "All releases of the Kargo Takip plugin distributed by \u00d6zg\u00fcr KARALAR, specifically versions prior to 0.2.4, are affected. WordPress sites installing the plugin before this version are at risk, as the vulnerability applies to every non\u2011patched instance of the add\u2011on.", "description_and_impact": "A missing authorization flaw in the Kargo Takip WordPress plugin removes critical access controls, allowing a user to view or modify protected data managed by the plugin. The weakness, identified as CWE\u2011862, does not grant execution privileges but directly undermines data confidentiality and integrity by letting an attacker bypass legitimate authentication checks.", "risk_and_exploitability": "The core exploit score of 6.5 indicates medium severity. The EPSS score is less than 1%, suggesting that the vulnerability is unlikely to see widespread exploitation currently. The flaw is not included in CISA\u2019s Known Exploited Vulnerabilities catalog. Based on the description, the attack vector is likely remote, through crafted HTTP requests to the plugin\u2019s endpoints, and does not require elevated privileges beyond the ability to reach those URLs."}}}}, "created": "2026-03-25T21:44:51.037711+00:00", "updated": "2026-03-27T09:45:54.788218+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "\u00f6zg\u00fcr_karalar", "\u00f6zg\u00fcr_karalar$PRODUCT$kargo_takip"]}