{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25437", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:40.963Z", "datePublished": "2026-03-25T16:14:49.711Z", "dateUpdated": "2026-04-28T16:14:58.752Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "gzseo", "product": "GZSEO", "vendor": "\u0633\u06cc\u062f \u0645\u062d\u0645\u062f\u0627\u0645\u06cc\u0646 \u0647\u0627\u0634\u0645\u06cc", "versions": [{"lessThanOrEqual": "2.0.14", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:18:23.375Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in \u0633\u06cc\u062f \u0645\u062d\u0645\u062f\u0627\u0645\u06cc\u0646 \u0647\u0627\u0634\u0645\u06cc GZSEO gzseo allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects GZSEO: from n/a through <= 2.0.14.</p>"}], "value": "Missing Authorization vulnerability in \u0633\u06cc\u062f \u0645\u062d\u0645\u062f\u0627\u0645\u06cc\u0646 \u0647\u0627\u0634\u0645\u06cc GZSEO gzseo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GZSEO: from n/a through <= 2.0.14."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:58.752Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/gzseo/vulnerability/wordpress-gzseo-plugin-2-0-11-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress GZSEO plugin <= 2.0.14 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T16:32:00.791259Z", "id": "CVE-2026-25437", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T01:42:21.959Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-25437", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T16:32:00.791259Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T16:32:02.311Z"}}], "cna": {"title": "WordPress GZSEO plugin <= 2.0.14 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "\u0633\u06cc\u062f \u0645\u062d\u0645\u062f\u0627\u0645\u06cc\u0646 \u0647\u0627\u0634\u0645\u06cc", "product": "GZSEO", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.0.14"}], "packageName": "gzseo", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:18:23.375Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/gzseo/vulnerability/wordpress-gzseo-plugin-2-0-11-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in \u0633\u06cc\u062f \u0645\u062d\u0645\u062f\u0627\u0645\u06cc\u0646 \u0647\u0627\u0634\u0645\u06cc GZSEO gzseo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GZSEO: from n/a through <= 2.0.14.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in \u0633\u06cc\u062f \u0645\u062d\u0645\u062f\u0627\u0645\u06cc\u0646 \u0647\u0627\u0634\u0645\u06cc GZSEO gzseo allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects GZSEO: from n/a through <= 2.0.14.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:09.643Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25437", "state": "PUBLISHED", "dateUpdated": "2026-04-24T15:35:33.114Z", "dateReserved": "2026-02-02T12:53:40.963Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:49.711Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in \u0633\u06cc\u062f \u0645\u062d\u0645\u062f\u0627\u0645\u06cc\u0646 \u0647\u0627\u0634\u0645\u06cc GZSEO gzseo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GZSEO: from n/a through <= 2.0.14."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en ??? ???????? ????? GZSEO gzseo permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a GZSEO: desde n/a hasta &lt;= 2.0.14."}], "id": "CVE-2026-25437", "lastModified": "2026-04-24T16:35:20.070", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:50.860", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/gzseo/vulnerability/wordpress-gzseo-plugin-2-0-11-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.14]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "GZSEO", "source": "cna", "vendor": "\u0633\u06cc\u062f \u0645\u062d\u0645\u062f\u0627\u0645\u06cc\u0646 \u0647\u0627\u0634\u0645\u06cc"}, "product": "gzseo", "vendor": "\u0633\u06cc\u062f_\u0645\u062d\u0645\u062f\u0627\u0645\u06cc\u0646_\u0647\u0627\u0634\u0645\u06cc"}], "analysis": {"en": {"generated_at": "2026-03-26T19:06:20.066958+00:00", "value": {"mitigation_remediation": ["Upgrade the GZSEO plugin to a version newer than 2.0.14 (e.g., 2.0.15 or later).", "If an upgrade cannot be performed immediately, disable the GZSEO plugin to remove the vulnerable code from the site."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to all releases of the GZSEO plugin produced by \u0633\u06cc\u062f \u0645\u062d\u0645\u062f\u0627\u0645\u06cc\u0646 \u0647\u0627\u0634\u0645\u06cc from the earliest documented version up to and including 2.0.14. Sites that have any of these versions installed are at risk if the plugin is active.", "description_and_impact": "A missing authorization check in the WordPress GZSEO plugin up to version 2.0.14 allows users without proper credentials to perform actions that should be restricted. This flaw, classified as CWE\u2011862, enables unintended access to plugin functions and potentially exposed data or administrative actions.\"", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate severity assessment, while the EPSS score of less than 1\u202f% reflects a low likelihood of widespread exploitation at this time. The vulnerability is not listed in the CISA KEV catalog, suggesting no known active exploits. Based on the description, the likely attack vector is via the WordPress web interface where the plugin\u2019s access checks are omitted; an attacker would need to craft HTTP requests targeting the plugin\u2019s endpoints to gain unauthorized access."}}}}, "created": "2026-03-25T21:44:27.987440+00:00", "updated": "2026-03-27T09:31:43.204594+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "\u0633\u06cc\u062f_\u0645\u062d\u0645\u062f\u0627\u0645\u06cc\u0646_\u0647\u0627\u0634\u0645\u06cc", "\u0633\u06cc\u062f_\u0645\u062d\u0645\u062f\u0627\u0645\u06cc\u0646_\u0647\u0627\u0634\u0645\u06cc$PRODUCT$gzseo"]}