Description
The Check Plagiarism plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the chk_plag_mine_plugin_wpse10500_admin_action() function in all versions up to, and including, 2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the API key.
Published: 2025-10-24
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Configuration Modification
Action: Immediate Patch
AI Analysis

Impact

The Check Plagiarism plugin for WordPress contains a missing capability check on the chk_plag_mine_plugin_wpse10500_admin_action() function. Because the access control guard is omitted, any authenticated user with Subscriber or higher privileges can invoke the function and update the plugin’s API key. This flaw maps to CWE‑862 and permits the attacker to change critical configuration without authorization, potentially enabling further misuse or service interruption.

Affected Systems

This issue affects the plagiarismchecker Check Plagiarism WordPress plugin, versions 1.x through 2.0 inclusive. WordPress sites that have installed any of these older releases are susceptible. No other products or platforms are listed as affected.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate risk, while the EPSS score of <1% suggests a low probability of exploitation in the wild. The flaw is not included in the CISA KEV list. An attacker must already possess a valid subscriber account, but such accounts are common on multi‑user WordPress installations. Once authenticated, the exploitation path is straightforward: the attacker calls the vulnerable admin action and replaces the API key.

Generated by OpenCVE AI on April 21, 2026 at 02:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Check Plagiarism plugin to the latest version that includes the authorization check fix.
  • Revoke or limit the ability of subscriber‑level users to modify plugin settings; ensure they lack the capability to call the chk_plag_mine_plugin_wpse10500_admin_action() function.
  • Monitor audit logs for changes to the API key and investigate any unauthorized modifications.

Generated by OpenCVE AI on April 21, 2026 at 02:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Oct 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Plagiarismcheckerx
Plagiarismcheckerx plagiarism Checker X
Wordpress
Wordpress wordpress
Vendors & Products Plagiarismcheckerx
Plagiarismcheckerx plagiarism Checker X
Wordpress
Wordpress wordpress

Fri, 24 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Oct 2025 08:30:00 +0000

Type Values Removed Values Added
Description The Check Plagiarism plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the chk_plag_mine_plugin_wpse10500_admin_action() function in all versions up to, and including, 2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the API key.
Title Check Plagiarism <= 2.0 - Missing Authorization to Authenticated (Subscriber+) Settings Update
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Plagiarismcheckerx Plagiarism Checker X
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:15:14.957Z

Reserved: 2025-09-29T17:24:46.884Z

Link: CVE-2025-11172

cve-icon Vulnrichment

Updated: 2025-10-24T14:36:23.302Z

cve-icon NVD

Status : Deferred

Published: 2025-10-24T09:15:42.270

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11172

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T02:15:06Z

Weaknesses