WordPress Plugin Vulnerabilities

WP Dummy Content Generator < 4.0.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary User Deletion

Description

The WP Dummy Content Generator plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.4.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary user accounts.

Affects Plugins

Plugin icon
wp-dummy-content-generator
Fixed in 4.0.0

References

CVE
CVE-2025-49234
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/640e109c-366f-4217-98e8-b1e5a0f0f062

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Kévin Mosbahi (Mika)
Verified
No
WPVDB ID
76c81e52-5304-4f34-80e3-693ddea44965

Timeline

Publicly Published
2025-06-16 (about 11 months ago)
Added
2025-06-25 (about 11 months ago)
Last Updated
2025-06-25 (about 11 months ago)

Other

Published
Title
Published
2026-02-26
Title
Simply Schedule Appointments < 1.6.11.1 - Missing Authorization
Published
2023-11-13
Title
Essential Blocks for Gutenberg < 4.2.1 - Missing Authorization via AJAX actions
Published
2024-10-10
Title
GutenKit < 2.1.1 - Unauthenticated Arbitrary File Upload
Published
2022-09-23
Title
MailOptin < 1.2.50.0 - Unauthenticated Campaign Cache Deletion
Published
2025-01-24
Title
Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress < 1.3.4 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update (save_addon_key_license)