Description
The Ultimate WordPress Auction Plugin plugin for WordPress is vulnerable to unauthorized access to functionality in all versions up to, and including, 4.2.9. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary auctions, posts as well as pages and allows them to execute other actions related to auction handling.
Published: 2025-03-04
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary content deletion through missing authorization
Action: Patch
AI Analysis

Impact

The vulnerability in the Ultimate WordPress Auction Plugin permits authenticated users with Contributor-level access or higher to perform unrestricted deletions of auctions, posts, and pages. By exploiting a missing authorization check, an attacker can invoke the plugin’s deletion routines and eliminate any content the user is able to view, disrupting site operations and potentially eroding user trust. The flaw does not provide direct code execution but enables significant data loss and site integrity compromise.

Affected Systems

WordPress sites that have the Ultimate WordPress Auction Plugin installed, versions 4.2.9 and earlier. The plugin is distributed by nitesh_singh and is commonly used to manage online auctions. Any site enabling Contributor roles or higher without restricting plugin‑provided delete actions is vulnerable.

Risk and Exploitability

The CVSS score of 5.4 reflects a moderate severity, and the EPSS score of less than 1% indicates a low likelihood of widespread exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog. An attacker must first authenticate to the WordPress site with a role of at least Contributor, then employ the plugin’s deletion endpoints. Once authenticated, the attacker can delete arbitrary content, causing loss of auctions, posts, or pages. The risk is limited to sites with the vulnerable plugin, but the loss of content can be operationally disruptive, especially for high‑traffic auction platforms.

Generated by OpenCVE AI on April 21, 2026 at 22:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ultimate WordPress Auction Plugin to version 4.3.0 or newer, where the authorization checks have been restored
  • If an upgrade is not immediately possible, consider disabling the plugin’s delete functionality or restricting Contributor access to read‑only roles
  • Enforce least‑privilege by removing Contributor or higher roles from users who should not delete content, and review role permissions regularly

Generated by OpenCVE AI on April 21, 2026 at 22:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7375 The Ultimate WordPress Auction Plugin plugin for WordPress is vulnerable to unauthorized access to functionality in all versions up to, and including, 4.2.9. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary auctions, posts as well as pages and allows them to execute other actions related to auction handling.
History

Tue, 04 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 04 Mar 2025 09:45:00 +0000

Type Values Removed Values Added
Description The Ultimate WordPress Auction Plugin plugin for WordPress is vulnerable to unauthorized access to functionality in all versions up to, and including, 4.2.9. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary auctions, posts as well as pages and allows them to execute other actions related to auction handling.
Title Ultimate WordPress Auction Plugin <= 4.2.9 - Missing Authorization to Arbitrary Post Deletion
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Nitesh Singh Ultimate Wordpress Auction Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:15:31.405Z

Reserved: 2025-01-31T21:47:18.489Z

Link: CVE-2025-0958

cve-icon Vulnrichment

Updated: 2025-03-04T14:22:11.610Z

cve-icon NVD

Status : Received

Published: 2025-03-04T10:15:10.817

Modified: 2025-03-04T10:15:10.817

Link: CVE-2025-0958

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:15:45Z

Weaknesses