WordPress Plugin Vulnerabilities

Title Experiments Free <= 9.0.4 - Missing Authorization

Description

The Title Experiments Free plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 9.0.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

Affects Plugins

Plugin icon
wp-experiments-free
No known fix

References

CVE
CVE-2025-22561
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/d4a15720-2535-4258-8d58-20818cdbd413

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Mika
Verified
No
WPVDB ID
410f52e9-4e8c-4d2b-b8b4-b5e5df7ef612

Timeline

Publicly Published
2025-01-07 (about 1 year ago)
Added
2025-01-14 (about 1 year ago)
Last Updated
2025-01-14 (about 1 year ago)

Other

Published
Title
Published
2024-11-18
Title
de:branding <= 1.0.2 - Privilege Escalation
Published
2025-12-15
Title
Yaad Sarig Payment Gateway For WC <= 2.2.10 - Missing Authorization
Published
2024-03-08
Title
HT Easy GA4 – Google Analytics WordPress Plugin < 1.2.0 - Missing Authorization to Unauthenticated GA4 Email Update
Published
2023-01-10
Title
Royal Elementor Addons < 1.3.60 - Subscriber+ Arbitrary Template Import
Published
2024-10-24
Title
WordPress Stripe Donation and Payment Plugin < 3.2.4 - Missing Authorization