Main Vulnerability Database SB2025031067

SB2025031067 - Missing Authorization in WP Online Contract plugin for WordPress

Published: March 10, 2025

Security Bulletin ID SB2025031067

Severity

Medium

Patch available

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Missing Authorization (CVE-ID: CVE-2025-0954)

The vulnerability allows a remote attacker to bypass authorization checks.

The vulnerability exists due to a missing capability check on the json_import() and json_export() functions. A remote attacker can import and export the plugin's settings.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

https://codecanyon.net/item/wp-online-contract/7698011
https://www.wordfence.com/threat-intel/vulnerabilities/id/70f464ca-ff6c-4c2e-8b56-bf5e4bc6bd1f?source=cve