WordPress Plugin Vulnerabilities

Ibtana < 1.2.5.4 - Missing Authorization to Authenticated (Contributor+) Arbitrary Content Deletion

Description

The Ibtana – WordPress Website Builder plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check in all versions up to, and including, 1.2.5.3. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary content.

Affects Plugins

Plugin icon
ibtana-visual-editor
Fixed in 1.2.5.4

References

CVE
CVE-2025-59581
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/8e75bc13-4a9c-439d-a361-33711886bfac

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Denver Jackson
Verified
No
WPVDB ID
7fb9602d-3962-4e4b-bcaf-5ee38ab73db7

Timeline

Publicly Published
2025-09-22 (about 9 months ago)
Added
2025-09-26 (about 8 months ago)
Last Updated
2025-09-26 (about 8 months ago)

Other

Published
Title
Published
2025-09-05
Title
Product Carousel Slider for Elementor <= 2.1.3 - Missing Authorization
Published
2026-03-31
Title
Royal Elementor Addons < 1.7.1057 - Unauthenticated Missing Authorization
Published
2026-04-23
Title
Liaison Site Prober < 1.2.2 - Missing Authorization to Unauthenticated Information Exposure in '/logs' REST API Endpoint
Published
2023-12-06
Title
System Dashboard < 2.8.8 - Missing Authorization to Information Disclosure (sd_db_specs)
Published
2025-11-11
Title
Booking Calendar | Appointment Booking | Bookit < 2.5.1 - Missing Authorization to Unauthenticated Stripe Connection