WordPress Plugin Vulnerabilities

WPS Bidouille < 1.33.2 - Missing Authorization

Description

The WPS Bidouille plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.33.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

Affects Plugins

Plugin icon
wps-bidouille
Fixed in 1.33.2

References

CVE
CVE-2025-64238
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/6f2b3c4a-8dc5-459b-ae55-d11fc988dbe8

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Legion Hunter
Verified
No
WPVDB ID
5eb1a23c-51b4-4198-a1e0-71cd633a44d3

Timeline

Publicly Published
2025-12-02 (about 5 months ago)
Added
2025-12-19 (about 4 months ago)
Last Updated
2026-01-05 (about 4 months ago)

Other

Published
Title
Published
2025-06-05
Title
Hive Support < 1.2.6 - Authenticated (Subscriber+) Missing Authorization via hs_update_ai_chat_settings and hive_lite_support_get_all_binbox
Published
2022-06-16
Title
BuddyPress Group Reviews < 2.8.4 - Subscriber+ Arbitrary Settings Update & Review Modification
Published
2024-02-26
Title
Categorify < 1.0.7.5 - Missing Authorization in categorifyAjaxClearCategory
Published
2025-01-06
Title
LazyLoad Background Images <= 1.0.7 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update
Published
2026-03-25
Title
Blog2Social: Social Media Auto Post & Scheduler < 8.8.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Deletion via 'b2s_reset_social_meta_tags' AJAX Action