SmartCrawl SEO checker, analyzer & optimizer < 3.14.4 – Missing Authorization to Plugin Settings Update | CVE 2025-11163 | Plugin Vulnerabilities

Description

The SmartCrawl SEO checker, analyzer & optimizer plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_submodule() function in all versions up to, and including, 3.14.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's setttings.

Affects Plugins

Fixed in 3.14.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/8a63a9b3-c056-45f3-952c-9aee997d1d27

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Rafshanzani Suhada

Verified

No

WPVDB ID

68083532-6a32-404d-b01b-09fbed6d55c6

Timeline

Publicly Published

2025-09-29 (about 7 months ago)

Added

2025-09-29 (about 7 months ago)

Last Updated

2025-09-30 (about 7 months ago)

Other

Published

Title

Published

2021-02-10

Title

Map Block for Google Maps < 1.32 - Unauthorised Google API Key change

Published

2024-04-15

Title

Product Feed PRO for WooCommerce by AdTribes – WooCommerce Product Feeds for Google, Facebook/Meta, Bing, & More < 13.3.2 - Sensitive Information Exposure via Log Files

Published

2024-08-24

Title

PowerPack Pro for Elementor < 2.10.15 - Contributor+ Privilege Escalation

Published

2025-08-28

Title

WP Hotel Booking < 2.2.3 - Subscriber+ Rating Manipulation

Published

2022-07-26

Title

WPGraphQL WooCommerce < 0.12.4 - Unauthenticated Coupon Codes Disclosure