Description
The Voidek Employee Portal plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several AJAX actions in all versions up to, and including, 1.0.7. This makes it possible for unauthenticated attackers to perform several actions like registering an account, deleting users, and modifying details within the employee portal.
Published: 2025-12-05
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access via Missing Capability Check
Action: Assess Impact
AI Analysis

Impact

The Voidek Employee Portal plugin for WordPress allows unauthenticated users to trigger several AJAX actions without performing a capability check. This missing authorization validation permits attackers to create new accounts, delete existing users, and modify employee details. The weakness is a classic missing permission verification (CWE‑862) that can compromise confidentiality and integrity of the portal’s user data.

Affected Systems

Any WordPress site running Voidek Employee Portal versions up to and including 1.0.7 is affected. No version information beyond 1.0.7 is listed, so installations of that or older releases are vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, but the EPSS score of less than 1% suggests that exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Attackers only need access to the relevant AJAX endpoints, so the vector is inferred to be remote, unauthenticated. If exploited, the attacker could create accounts, delete users, and alter employee details, compromising the integrity of the portal’s data.

Generated by OpenCVE AI on April 21, 2026 at 17:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Voidek Employee Portal plugin to a version newer than 1.0.7 if an update is available.
  • Disable or restrict the AJAX endpoints that lack capability checks, or remove the plugin entirely if it cannot be updated.
  • Configure the site’s permission model to ensure that account creation, deletion, and employee detail modification are only available to roles with the appropriate capabilities, and review other plugins for similar missing checks.

Generated by OpenCVE AI on April 21, 2026 at 17:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description The Voidek Employee Portal plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several AJAX actions in all versions up to, and including, 1.0.6. This makes it possible for unauthenticated attackers to perform several actions like registering an account, deleting users, and modifying details within the employee portal. The Voidek Employee Portal plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several AJAX actions in all versions up to, and including, 1.0.7. This makes it possible for unauthenticated attackers to perform several actions like registering an account, deleting users, and modifying details within the employee portal.
Title Voidek Employee Portal <= 1.0.6 - Missing Authorization Voidek Employee Portal <= 1.0.7 - Missing Authorization
References

Fri, 05 Dec 2025 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 05 Dec 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Dec 2025 06:30:00 +0000

Type Values Removed Values Added
Description The Voidek Employee Portal plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several AJAX actions in all versions up to, and including, 1.0.6. This makes it possible for unauthenticated attackers to perform several actions like registering an account, deleting users, and modifying details within the employee portal.
Title Voidek Employee Portal <= 1.0.6 - Missing Authorization
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:25:32.344Z

Reserved: 2025-10-22T19:17:58.754Z

Link: CVE-2025-12093

cve-icon Vulnrichment

Updated: 2025-12-05T13:41:07.769Z

cve-icon NVD

Status : Deferred

Published: 2025-12-05T07:16:08.347

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12093

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:45:16Z

Weaknesses