CVE-2025-0954 - Vulnerability Details

- WP Online Contract <= 5.1.4 - Missing Authorization to Unauthenticated Settings Import

Description

The WP Online Contract plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the json_import() and json_export() functions in all versions up to, and including, 5.1.4. This makes it possible for unauthenticated attackers to import and export the plugin's settings.

Published: 2025-03-05

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The WP Online Contract plugin for WordPress contains a missing capability check on the json_import() and json_export() functions in all versions up to and including 5.1.4. Because of this flaw, unauthenticated users can send requests to the plugin’s import and export endpoints and recover or modify the plugin's configuration settings. This allows an attacker to change how the contract works on the site, or to export the configuration for analysis, thereby compromising the integrity of the WordPress installation.

Affected Systems

All installations of the WP Online Contract plugin from its earliest release through version 5.1.4 are impacted. The plugin is developed by the futuredesigngrp team. No known backported fixes exist for these versions, so any site running a vulnerable instance remains at risk until the plugin is updated.

Risk and Exploitability

The CVSS score of 6.5 classifies the flaw as medium severity. The EPSS score of less than 1% indicates a very low likelihood of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the flaw by sending unauthenticated HTTP requests to the import or export routes, making it a remote, unauthenticated threat that could alter site configuration.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

futuredesigngrp

WP Online Contract

unaffected

Version	Status	Constraints
`0`	affected	≤ 5.1.4

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update WP Online Contract to version 5.1.5 or newer, which removes the missing capability check.
If an immediate update is not possible, limit access to the json_import and json_export routes by configuring WordPress user roles or by using a security plugin to block non‑administrator traffic to those URLs.
As a temporary workaround, disable or delete the import/export functionality by editing the plugin’s PHP files or by applying an .htaccess rule to deny access to the PHP script that implements these endpoints.

Generated by OpenCVE AI on April 28, 2026 at 03:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-6026	The WP Online Contract plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the json_import() and json_export() functions in all versions up to, and including, 5.1.4. This makes it possible for unauthenticated attackers to import and export the plugin's settings.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00238.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://codecanyon.net/item/wp-online-contract/7698011
https://www.wordfence.com/threat-intel/vulnerabilities/id/70f464ca-ff6c-4c2e-8b56-bf5e4bc6bd1f?source=cve

History

Wed, 05 Mar 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 05 Mar 2025 09:30:00 +0000

Type	Values Removed	Values Added
Description		The WP Online Contract plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the json_import() and json_export() functions in all versions up to, and including, 5.1.4. This makes it possible for unauthenticated attackers to import and export the plugin's settings.
Title		WP Online Contract <= 5.1.4 - Missing Authorization to Unauthenticated Settings Import
Weaknesses		CWE-862
References		https://codecanyon.net/item/wp-online-contract/7698011 https://www.wordfence.com/threat-intel/vulnerabilities/id/70f464ca-ff6c-4c2e-8b56-bf5e4bc6bd1f?source=cve
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}`

Subscriptions

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-03-05T09:21:47.168Z

Updated: 2026-04-08T17:00:28.092Z

Reserved: 2025-01-31T20:00:10.045Z

Link: CVE-2025-0954

Vulnrichment

Updated: 2025-03-05T14:22:34.758Z

NVD

Status : Deferred

Published: 2025-03-05T10:15:19.130

Modified: 2026-06-17T08:27:25.867

Link: CVE-2025-0954

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T03:45:20Z

Weaknesses

CWE-862
Missing Authorization

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object