WordPress Plugin Vulnerabilities

Pochipp < 1.18.1 - Missing Authorization

Description

The Pochipp plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.18.0. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Affects Plugins

Plugin icon
pochipp
Fixed in 1.18.1

References

CVE
CVE-2025-66129
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/031df7ea-b341-40fc-981f-711883f08742

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
NumeX
Verified
No
WPVDB ID
945583d0-d636-4f17-bdfa-cc6fab5eaa6d

Timeline

Publicly Published
2025-12-14 (about 2 months ago)
Added
2025-12-19 (about 2 months ago)
Last Updated
2026-01-06 (about 1 month ago)

Other

Published
Title
Published
2026-01-21
Title
Photo Gallery by 10Web – Mobile-Friendly Image Gallery < 1.8.37 - Missing Authorization to Unauthenticated Arbitrary Comment Deletion
Published
2025-07-09
Title
Templazee <= 1.0.2 - Missing Authorization
Published
2025-09-30
Title
Effect Maker <= 1.2.1 - Missing Authorization
Published
2025-01-24
Title
Post Duplicator < 2.36 - Missing Authorization
Published
2025-10-23
Title
Supervisor < 1.3.3 - Missing Authorization to Authenticated (Subscriber+) Settings Update