CVE-2025-1322

EPSS 0.11%
Veröffentlicht 08.03.2025 10:15:10
Zuletzt bearbeitet 13.03.2025 13:01:31
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

WP-Recall – Registration, Profile, Commerce & More <= 16.26.10 - Authenticated (Contributor+) Protected Post Disclosure

The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 16.26.10 via the 'feed' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to view data from password protected, private, or draft posts that they should not have access to.

Mögliche Gegenmaßnahme

WP-Recall – Registration, Profile, Commerce & More: Update to version 16.26.12, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 6

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt WP-Recall – Registration, Profile, Commerce & More

Version *-16.26.10

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Plechevandrey ≫ Wp-recall SwPlatformwordpress Version < 16.26.12

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.11%	0.294

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
security@wordfence.com	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

https://www.wordfence.com/threat-intel/vulnerabilities/id/c667be65-e6d3-40e1-aeec-384d309fde3d?source=cve

Third Party Advisory

https://plugins.trac.wordpress.org/changeset/3250094/wp-recall/trunk/add-on/rcl-chat/core.php

Patch

https://www.wordfence.com/threat-intel/vulnerabilities/id/c667be65-e6d3-40e1-aeec-384d309fde3d

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-1322

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-1322

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-1322

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-1322