WordPress Plugin Vulnerabilities

PGS Core < 5.9.0 - Missing Authorization via Multiple Functions

Description

The PGS Core plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on multiple functions in all versions up to, and including, 5.8.0. This makes it possible for unauthenticated attackers to add, modify, or plugin options.

Affects Plugins

Plugin icon
pgs-core
Fixed in 5.9.0

References

CVE
CVE-2025-0856
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/7c33b1cb-6eb1-48cd-b706-5ec270f4ae7e

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
7.3 (high)

Miscellaneous

Original Researcher
István Márton
Verified
No
WPVDB ID
9ddbd975-b02b-4b3a-bc27-c6f157b18f62

Timeline

Publicly Published
2025-05-06 (about 11 months ago)
Added
2025-05-06 (about 11 months ago)
Last Updated
2025-05-06 (about 10 months ago)

Other

Published
Title
Published
2024-04-05
Title
Image Watermark < 1.7.4 - Missing Authorization to Authenticated (Subscriber+) Watermark Modification
Published
2025-12-20
Title
WP JobHunt <= 7.7 - Missing Authorization to Authenticated (Candidate+) Stored Cross-Site Scripting via 'status'
Published
2025-11-26
Title
Hide Category by User Role for WooCommerce < 2.3.2 - Missing Authorization to Unauthenticated Cache Flushing
Published
2026-02-23
Title
Directory Pro <= 2.5.6 - Missing Authorization
Published
2025-11-27
Title
Powerlift < 3.2.1 - Missing Authorization