WordPress Plugin Vulnerabilities

Password Policy Manager | Password Manager < 2.0.6 - Missing Authorization to Authenticated (Subscriber+) Configuration Log Out

Description

The Password Policy Manager | Password Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'moppm_ajax' AJAX endpoint in all versions up to, and including, 2.0.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to log out the site's connection to miniorange.

Affects Plugins

Plugin icon
password-policy-manager
Fixed in 2.0.6

References

CVE
CVE-2025-11255
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/66ac51f9-3571-4e07-a110-afec43abab37

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Jonas Benjamin Friedli
Verified
No
WPVDB ID
5fee7068-9ed2-4935-b6e6-798feb7f56a1

Timeline

Publicly Published
2025-10-24 (about 7 months ago)
Added
2025-10-24 (about 7 months ago)
Last Updated
2025-10-25 (about 7 months ago)

Other

Published
Title
Published
2024-09-30
Title
Soumettre.fr < 2.1.4 - Missing Authorization
Published
2023-11-01
Title
Funnelforms Free < 3.4.2 - Missing Authorization to New Category Creation
Published
2025-01-16
Title
WP Meetup <= 2.3.0 - Missing Authorization to Authenticated (Subscriber+) Settings Update
Published
2025-01-16
Title
Slides & Presentations <= 0.0.39 - Missing Authorization to Content Injection
Published
2026-02-03
Title
MyRewards – Loyalty Points and Rewards for WooCommerce < 5.7.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Loyalty Rule Modification