WordPress Plugin Vulnerabilities

WP VR < 8.5.42 - Contributor+ Plugin Settings Update

Description

The plugin is vulnerable to unauthorized access of data due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor level access and above, to modify sensitive plugin options.

Affects Plugins

Plugin icon
wpvr
Fixed in 8.5.42

References

CVE
CVE-2025-12005
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/9bcbc0cf-69e5-4d6e-8987-a0fbbaf41740

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
2.7 (low)

Miscellaneous

Original Researcher
Rafshanzani Suhada
Verified
No
WPVDB ID
75ccfefe-6d62-43dd-812d-17756fc79ae8

Timeline

Publicly Published
2025-10-24 (about 8 months ago)
Added
2025-10-27 (about 7 months ago)
Last Updated
2025-10-27 (about 7 months ago)

Other

Published
Title
Published
2025-06-07
Title
Backup and Move <= 0.1 - Missing Authorization
Published
2024-07-09
Title
User Activity Log Pro <= 2.3.4 - Missing Authorization
Published
2024-09-16
Title
WooCommerce Multilingual & Multicurrency < 5.3.7 - Missing Authorization
Published
2026-01-13
Title
PayHere Payment Gateway Plugin for WooCommerce < 2.4.0 - Missing Authorization to Unauthenticated Order Status Modification
Published
2025-03-18
Title
CozyStay < 1.7.1 - Missing Authorization to Arbitrary Action Execution in ajax_handler