WordPress Plugin Vulnerabilities

Echo Knowledge Base – Documentation, FAQs, AI Chat & AI Search < 16.20.0 - Missing Authorization

Description

The Echo Knowledge Base – Documentation, FAQs, Chat & Smart Search plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 16.011.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

Affects Plugins

Plugin icon
echo-knowledge-base
Fixed in 16.20.0

References

CVE
CVE-2026-25402
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/b4bfd3d4-8454-4db2-b6fc-570bc7f99f36

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Nabil Irawan
Verified
No
WPVDB ID
3aa2ca07-0851-4734-9209-dbb0ee38bbaa

Timeline

Publicly Published
2026-01-29 (about 3 months ago)
Added
2026-05-04 (about 9 days ago)
Last Updated
2026-05-04 (about 9 days ago)

Other

Published
Title
Published
2023-09-05
Title
VS Contact Form < 14.0 - Missing Authorization
Published
2026-02-11
Title
Travel Agency < 1.5.6 - Missing Authorization
Published
2025-06-17
Title
Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit < 3.6.0 - Missing Authorization to Unauthenticated Arbitrary Plugin Installation
Published
2025-08-01
Title
Ultimate Addons for Elementor < 2.4.7 - Subscriber+ Limited Settings Update
Published
2025-03-31
Title
Google SEO Pressor Snippet <= 2.0 - Missing Authorization