{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25410", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:19.001Z", "datePublished": "2026-02-19T08:27:05.666Z", "dateUpdated": "2026-04-28T16:14:58.465Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wp-cors", "product": "WP-CORS", "vendor": "tstephenson", "versions": [{"lessThanOrEqual": "0.2.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:09.125Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in tstephenson WP-CORS wp-cors allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP-CORS: from n/a through <= 0.2.2.</p>"}], "value": "Missing Authorization vulnerability in tstephenson WP-CORS wp-cors allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP-CORS: from n/a through <= 0.2.2."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:58.465Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wp-cors/vulnerability/wordpress-wp-cors-plugin-0-2-2-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress WP-CORS plugin <= 0.2.2 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T21:08:45.783964Z", "id": "CVE-2026-25410", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T13:23:07.989Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-25410", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T21:08:45.783964Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T21:06:09.916Z"}}], "cna": {"title": "WordPress WP-CORS plugin <= 0.2.2 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "tstephenson", "product": "WP-CORS", "versions": [{"status": "affected", "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 0.2.2"}], "packageName": "wp-cors", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-02-19T09:26:05.531Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/wp-cors/vulnerability/wordpress-wp-cors-plugin-0-2-2-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in tstephenson WP-CORS wp-cors allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP-CORS: from n/a through <= 0.2.2.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in tstephenson WP-CORS wp-cors allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP-CORS: from n/a through <= 0.2.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-02-19T08:27:05.666Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25410", "state": "PUBLISHED", "dateUpdated": "2026-02-19T21:08:57.267Z", "dateReserved": "2026-02-02T12:53:19.001Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-19T08:27:05.666Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in tstephenson WP-CORS wp-cors allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP-CORS: from n/a through <= 0.2.2."}, {"lang": "es", "value": "Vulnerabilidad de Autorizaci\u00f3n Faltante en tstephenson WP-CORS wp-cors permite Explotar Niveles de Seguridad de Control de Acceso Incorrectamente Configurados. Este problema afecta a WP-CORS: desde n/a hasta &lt;= 0.2.2."}], "id": "CVE-2026-25410", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T09:16:22.743", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wp-cors/vulnerability/wordpress-wp-cors-plugin-0-2-2-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.2.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WP-CORS", "source": "cna", "vendor": "tstephenson"}, "product": "wp-cors", "vendor": "tstephenson"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T00:16:47.408527+00:00", "value": {"mitigation_remediation": ["Update the WP-CORS plugin to the latest version (>=0.2.3) to apply the missing authorization fix.", "If an update is not immediately possible, disable the WP-CORS plugin or restrict its exposure to trusted IP ranges.", "Review and enforce strong authentication and role permissions on your WordPress instance to limit potential damage from any plugin\u2011related exposure."], "summary": {"action": "Patch Now", "impact": "Unauthorized Access Due to Missing Authorization"}, "threat_synthesis": {"affected_systems": "Affected systems are WordPress sites that have the tstephenson WP-CORS plugin installed at version 0.2.2 or earlier. Any deployment of this plugin without an upgrade is vulnerable.", "description_and_impact": "The vulnerability is a missing authorization flaw in the tstephenson WP-CORS WordPress plugin, allowing an attacker to exploit incorrectly configured access control levels. This flaw can let an unauthorized user view or modify protected resources exposed by the plugin, potentially leading to data disclosure or manipulation. As a CWE\u2011862 missing authorization issue, the primary impact is unauthorized access to content or configuration data.", "risk_and_exploitability": "The CVSS score of 4.3 indicates low to moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, so no confirmed public exploits are documented. Attackers would likely perform the exploitation remotely by sending crafted HTTP requests to the plugin\u2019s endpoints; no local privilege escalation or execution is required."}}}}, "created": "2026-02-20T10:08:24.816305+00:00", "updated": "2026-04-16T00:30:18.852159+00:00", "vendors": ["tstephenson", "tstephenson$PRODUCT$wp-cors", "wordpress", "wordpress$PRODUCT$wordpress"]}