WordPress Plugin Vulnerabilities

Page and Post Lister <= 1.2.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion

Description

The Page and Post Lister plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary content.

Affects Plugins

Plugin icon
page-and-post-lister
No known fix

References

CVE
CVE-2025-27310
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/94e0f4cd-55fa-42f4-8d56-c8598ade4dc7

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Trương Hữu Phúc (truonghuuphuc)
Verified
No
WPVDB ID
7267b6c4-0e74-4901-8f38-087c7e27d97d

Timeline

Publicly Published
2025-02-21 (about 1 year ago)
Added
2025-03-03 (about 1 year ago)
Last Updated
2025-03-03 (about 1 year ago)

Other

Published
Title
Published
2025-07-14
Title
Alone – Charity Multipurpose Non-profit WordPress Theme < 7.8.5 - Missing Authorization to Unauthenticated Arbitrary File Upload via Plugin Installation
Published
2022-02-28
Title
miniOrange's Google Authenticator < 5.5 - Unauthenticated Arbitrary Options Deletion
Published
2026-01-20
Title
WishList Member X <= 3.29.0 - Missing Authorization
Published
2025-11-04
Title
ZoloBlocks < 2.3.12 - Missing Authorization
Published
2026-02-08
Title
Textmetrics < 3.6.5 - Missing Authorization