#VU105484 Missing Authorization in WP Online Contract - CVE-2025-0954

Cybersecurity Help s.r.o.

Published: 2025-03-10

Vulnerability identifier: #VU105484

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-0954

CWE-ID: CWE-862

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
WP Online Contract
Web applications / Modules and components for CMS

Vendor: futuredesigngrp

Description

The vulnerability allows a remote attacker to bypass authorization checks.

The vulnerability exists due to a missing capability check on the json_import() and json_export() functions. A remote attacker can import and export the plugin's settings.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

WP Online Contract: 5.1.4

External links
https://codecanyon.net/item/wp-online-contract/7698011
https://www.wordfence.com/threat-intel/vulnerabilities/id/70f464ca-ff6c-4c2e-8b56-bf5e4bc6bd1f?source=cve

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Missing Authorization in WP Online Contract plugin for WordPress