Description
The PGS Core plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on multiple functions in all versions up to, and including, 5.8.0. This makes it possible for unauthenticated attackers to add, modify, or plugin options.
Published: 2025-05-06
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification and loss of data via missing capability checks
Action: Apply Patch
AI Analysis

Impact

The PGS Core plugin for WordPress contains a missing capability check on several functions in all releases up to 5.8.0. This flaw allows an attacker who does not even have authentication credentials to add, alter or delete plugin options and settings, directly manipulating the site configuration and potentially compromising data integrity.

Affected Systems

The affected product is PGS Core supplied by Potenza Global Solutions for WordPress sites. Versions 5.8.0 and earlier are vulnerable; any site running the plugin in those releases is at risk.

Risk and Exploitability

Based on the description, it is inferred that attacks would involve sending crafted HTTP requests to the plugin’s endpoints, manipulating configuration options without any authentication, because the capability checks are missing. The CVSS score of 7.3 indicates high severity. The EPSS score is less than 1% and the vulnerability is not listed in the CISA KEV catalog, suggesting that widespread exploitation is unlikely at present. Nonetheless, the ability for unauthenticated users to modify plugin settings poses a significant risk to data integrity and site stability, especially on large WordPress deployments.

Generated by OpenCVE AI on April 22, 2026 at 17:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PGS Core to the latest version available (greater than 5.8.0) where the capability checks have been restored.
  • If an immediate upgrade is not possible, disable or remove the PGS Core plugin from all vulnerable WordPress installations until a patch can be applied.
  • Configure WordPress to enforce strict role‑based permissions, ensuring that only users with the wp_manage_options capability can modify plugin settings, to mitigate the risk of accidental or malicious changes.

Generated by OpenCVE AI on April 22, 2026 at 17:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13648 The PGS Core plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on multiple functions in all versions up to, and including, 5.8.0. This makes it possible for unauthenticated attackers to add, modify, or plugin options.
History

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00133}

 epss

{'score': 0.00139}

Wed, 07 May 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 06 May 2025 22:45:00 +0000

Type Values Removed Values Added
Description The PGS Core plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on multiple functions in all versions up to, and including, 5.8.0. This makes it possible for unauthenticated attackers to add, modify, or plugin options.
Title PGS Core <= 5.8.0 - Missing Authorization via Multiple Functions
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:02:38.920Z

Reserved: 2025-01-29T18:41:52.271Z

Link: CVE-2025-0856

cve-icon Vulnrichment

Updated: 2025-05-07T13:22:40.520Z

cve-icon NVD

Status : Deferred

Published: 2025-05-06T23:15:51.260

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-0856

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:30:22Z

Weaknesses