WordPress Plugin Vulnerabilities

Conversios.io < 7.2.14 - Missing Authorization

Description

The plugin is vulnerable to unauthorized access due to a missing capability check on a function. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

Affects Plugins

Plugin icon
enhanced-e-commerce-for-woocommerce-store
Fixed in 7.2.14

References

CVE
CVE-2025-62925
URL
https://patchstack.com/database/wordpress/plugin/enhanced-e-commerce-for-woocommerce-store/vulnerability/wordpress-conversios-io-plugin-7-2-10-broken-access-control-vulnerability

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Legion Hunter
Verified
No
WPVDB ID
17ce6824-c533-4ac7-b932-ac71f5b00ced

Timeline

Publicly Published
2025-10-05 (about 8 months ago)
Added
2025-10-29 (about 7 months ago)
Last Updated
2025-12-12 (about 6 months ago)

Other

Published
Title
Published
2024-02-12
Title
SKT Page Builder < 4.2 - Missing Authorization to Authenticated(Subscriber+) Content Injection
Published
2026-04-09
Title
Download Manager < 3.3.52 - Missing Authorization to Authenticated (Contributor+) Media File Protection Removal
Published
2025-12-12
Title
Devs CRM – Manage tasks, attendance and teams all together <= 1.1.8 - Unauthenticated Information Expsoure
Published
2026-01-05
Title
Quiz and Survey Master (QSM) < 10.3.2 - Missing Authorization to Unpublished, Private And Password-Protected Quiz Information Disclosure And Image Response Uploads
Published
2026-02-17
Title
Order Splitter for WooCommerce < 5.3.6 - Missing Authorization to Authenticated (Subscriber+) Order Information Exposure