EmailKit < 1.6.1 – Missing Authorization to Authenticated (Author+) Arbitrary Content Deletion | CVE 2025-60106 | Plugin Vulnerabilities

Description

The EmailKit – Email Customizer for WooCommerce & WP plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.6.0. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary content.

Affects Plugins

Fixed in 1.6.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/33fdd325-2a9e-4049-a2b0-c3eddc773c96

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Denver Jackson

Verified

No

WPVDB ID

90e9a04d-e486-4f5d-913e-686a073fdacf

Timeline

Publicly Published

2025-09-26 (about 9 months ago)

Added

2025-09-30 (about 8 months ago)

Last Updated

2025-10-08 (about 8 months ago)

Other

Published

Title

Published

2025-02-19

Title

Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported) < 4.5.0 - Missing Authorization to Unauthenticated Price, Date, and Note Updates

Published

2024-11-18

Title

Jobify - Job Board WordPress Theme <= 4.2.3 - Unauthenticated Arbitrary File Read

Published

2024-10-24

Title

WP Booking System < 2.0.19.11 - Missing Authorization via wpbs_refresh_calendar_editor

Published

2025-12-26

Title

Medical Equipment eCommerce WordPress Theme <= 1.0.9 - Missing Authorization

Published

2024-04-29

Title

Embed Google Fonts <= 3.1.0 - Missing Authorization