WP Crowdfunding < 2.1.15 – Missing Authorization to Authenticated (Subscriber+) Post Content Download | CVE 2025-1508 | Plugin Vulnerabilities

Description

The WP Crowdfunding plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the download_data action in all versions up to, and including, 2.1.14. This makes it possible for authenticated attackers, with subscriber-level access and above, to download all of a site's post content when WooCommerce is installed.

Affects Plugins

wp-crowdfunding

Fixed in 2.1.15

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/70a93afa-9801-41d2-8923-ca4ae6ae974f

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Verified

No

WPVDB ID

5b171ee7-1c37-4167-858f-d9332a0dce0d

Timeline

Publicly Published

2025-03-11 (about 1 year ago)

Added

2025-03-11 (about 1 year ago)

Last Updated

2025-04-30 (about 1 year ago)

Other

Published

Title

Published

2025-01-16

Title

Goldstar <= 2.1.1 - Missing Authorization

Published

2026-05-28

Title

User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder < 5.1.3 - Missing Authorization

Published

2024-04-22

Title

WP LinkedIn Auto Publish < 8.12 - Missing Authorization

Published

2025-01-06

Title

ClickDesigns < 2.0.0 - Missing Authorization to API Key Modification or Removal

Published

2024-12-10

Title

CM Answers < 3.2.7 - Missing Authorization