{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25473", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:59.643Z", "datePublished": "2026-02-19T08:27:09.151Z", "dateUpdated": "2026-04-28T16:14:59.639Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://codecanyon.net", "defaultStatus": "unaffected", "packageName": "woozone", "product": "WZone", "vendor": "AA-Team", "versions": [{"lessThanOrEqual": "14.0.31", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:11.627Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in AA-Team WZone woozone allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WZone: from n/a through <= 14.0.31.</p>"}], "value": "Missing Authorization vulnerability in AA-Team WZone woozone allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WZone: from n/a through <= 14.0.31."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:59.639Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/woozone/vulnerability/wordpress-wzone-plugin-14-0-31-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress WZone plugin <= 14.0.31 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T16:56:01.866856Z", "id": "CVE-2026-25473", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T13:59:20.471Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25473", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T16:56:01.866856Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T16:55:55.302Z"}}], "cna": {"title": "WordPress WZone plugin <= 14.0.31 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "AA-Team", "product": "WZone", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "14.0.31"}], "packageName": "woozone", "collectionURL": "https://codecanyon.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-28T13:26:57.063Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/woozone/vulnerability/wordpress-wzone-plugin-14-0-31-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in AA-Team WZone woozone allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WZone: from n/a through <= 14.0.31.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in AA-Team WZone woozone allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WZone: from n/a through <= 14.0.31.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:50.718Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25473", "state": "PUBLISHED", "dateUpdated": "2026-04-28T13:59:20.471Z", "dateReserved": "2026-02-02T12:53:59.643Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-19T08:27:09.151Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in AA-Team WZone woozone allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WZone: from n/a through <= 14.0.31."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en AA-Team WZone woozone permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a WZone: desde n/a hasta &lt;= 14.0.31."}], "id": "CVE-2026-25473", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T09:16:25.273", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/woozone/vulnerability/wordpress-wzone-plugin-14-0-31-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,14.0.31]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "WZone", "source": "cna", "vendor": "AA-Team"}, "product": "wzone", "vendor": "aa-team"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T06:27:54.549055+00:00", "value": {"mitigation_remediation": ["Upgrade the WZone plugin to a non\u2011affected version (\u226514.0.32)", "If the plugin is not required, disable or remove it from the WordPress installation", "Implement role\u2011based access controls and monitor for unauthorized attempts to access plugin administrative functions"], "summary": {"action": "Apply Patch", "impact": "Unauthorized Access due to missing authorization controls in WZone plugin"}, "threat_synthesis": {"affected_systems": "Affecting the AA-Team WZone WooZone plugin for WordPress through all releases up to including version 14.0.31. Any WordPress site that has installed an affected version of this plugin is at risk. Site administrators should verify the plugin version and check for any custom configurations that might lower access control levels.", "description_and_impact": "The vulnerability is a missing authorization check that allows users to exploit incorrectly configured access control security levels within the AA-Team WZone WooZone plugin. An attacker who can reach the plugin\u2019s administrative interfaces may gain access to privileged functions, potentially performing actions that should be restricted to higher\u2011privileged users. This can compromise the confidentiality, integrity, or availability of the WordPress site by enabling unauthorized administrative changes, data exfiltration, or injection of malicious content.", "risk_and_exploitability": "The CVSS score of 5.4 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation under current conditions. The vulnerability is not listed in the CISA KEV catalog. Because the attack vector relies on reaching the plugin\u2019s privileged administrative pages, the most likely exploitation path involves a user with sufficient access to navigate to those URLs, or exploitation through a broader site compromise in which an attacker can locate the plugin administrative endpoints. The risk is mitigated by applying a patch to a non\u2011affected version of the plugin or by implementing remedial controls that restrict or monitor access to those endpoints."}}}}, "created": "2026-02-20T10:08:09.343382+00:00", "updated": "2026-04-16T06:30:06.033742+00:00", "vendors": ["aa-team", "aa-team$PRODUCT$wzone", "wordpress", "wordpress$PRODUCT$wordpress"]}