12 Step Meeting List < 3.16.6 – Missing Authorization to Authenticated (Contributor+) Arbitrary Content Deletion | CVE 2025-24580 | Plugin Vulnerabilities

Description

The 12 Step Meeting List plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the wp_ajax_tsml_delete() function in all versions up to, and including, 3.16.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete all meeting data.

Affects Plugins

12-step-meeting-list

Fixed in 3.16.6

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/d504c2bd-d6a8-4a66-a650-4a18cb32c54a

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Kévin Mosbahi (Mika)

Verified

No

WPVDB ID

eff9dd0a-384a-42a5-93d1-1d903b216bf6

Timeline

Publicly Published

2025-01-24 (about 1 year ago)

Added

2025-01-28 (about 1 year ago)

Last Updated

2025-01-28 (about 1 year ago)

Other

Published

Title

Published

2023-01-10

Title

Royal Elementor Addons < 1.3.60 - Subscriber+ Arbitrary Plugin Activation

Published

2026-02-19

Title

Ally < 4.0.3 - Missing Authorization

Published

2025-05-01

Title

OTP-less one tap Sign in 2.0.14 - 2.0.59 - Unauthenticated Arbitrary Email Update to Account Takeover/Privilege Escalation

Published

2024-04-22

Title

Secure Copy Content Protection and Content Locking < 3.7.2 - Missing Authorization

Published

2024-10-24

Title

Bold Page Builder < 5.1.4 - Missing Authorization