Description
The WP Headless CMS Framework plugin for WordPress is vulnerable to protection mechanism bypass in all versions up to, and including, 1.15. This is due to the plugin only checking for the existence of the Authorization header in a request when determining if the nonce protection should be bypassed. This makes it possible for unauthenticated attackers to access content they should not have access to.
Published: 2025-11-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data Disclosure
Action: Patch
AI Analysis

Impact

The WP Headless CMS Framework plugin contains a protection mechanism bypass that allows an unauthenticated attacker to retrieve content that should be protected. The flaw arises because the plugin only checks for the existence of an Authorization header when deciding whether to skip nonce validation, enabling nonce bypass. This constitutes a CWE‑693 weakness, permitting attackers to gain information that must remain confidential.

Affected Systems

BenMoody's WP Headless CMS Framework up to and including version 1.15. Any installation of the plugin in these versions is affected.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.3 and an EPSS of less than 1%, indicating a moderate severity but a low likelihood of widespread exploitation. It is not listed in the CISA KEV catalog. Attackers can exploit it by sending a crafted HTTP request that includes an Authorization header to bypass nonce checks, thereby accessing protected content without authenticating.

Generated by OpenCVE AI on April 21, 2026 at 01:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP Headless CMS Framework plugin to a fixed release (version 1.16 or later).
  • If an immediate update is not possible, enforce authentication or nonce validation on all plugin endpoints, for example by adding a custom permission callback in the REST API routes or disabling the plugin’s nonce bypass feature.
  • As a temporary measure, block unauthenticated requests to the plugin’s REST endpoints using server‑side rules such as .htaccess redirects or firewall filters.

Generated by OpenCVE AI on April 21, 2026 at 01:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 13 Nov 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 13 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 13 Nov 2025 08:45:00 +0000

Type Values Removed Values Added
Description The WP Headless CMS Framework plugin for WordPress is vulnerable to protection mechanism bypass in all versions up to, and including, 1.15. This is due to the plugin only checking for the existence of the Authorization header in a request when determining if the nonce protection should be bypassed. This makes it possible for unauthenticated attackers to access content they should not have access to.
Title WP Headless CMS Framework <= 1.15 - Unauthenticated Protection Mechanism Bypass
Weaknesses CWE-693
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:26:24.936Z

Reserved: 2025-10-03T12:43:32.593Z

Link: CVE-2025-11260

cve-icon Vulnrichment

Updated: 2025-11-13T18:24:10.987Z

cve-icon NVD

Status : Deferred

Published: 2025-11-13T09:15:46.623

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11260

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T01:45:24Z

Weaknesses