Description
The Reuters Direct plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'logoff' action in all versions up to, and including, 3.0.0. This makes it possible for unauthenticated attackers to reset the plugin's settings.
Published: 2025-11-27
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Settings Reset
Action: Patch
AI Analysis

Impact

The Reuters Direct plugin for WordPress contains a missing capability verification on the logoff action. This flaw allows any unauthenticated user to trigger a reset of the plugin’s configuration. The result is an unauthorized modification of data that can disrupt site operation or serve as a foothold for attackers who may later reconfigure the plugin in a malicious manner. The weakness is an Authorization Control error, classified as CWE‑862.

Affected Systems

All installations of the Reuters Direct WordPress plugin from its initial release through version 3.0.0 are vulnerable. The affected product is the Reuters Direct plugin distributed by the rnags vendor within the WordPress ecosystem.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation at this time. The flaw is not listed in the CISA KEV catalog. Attackers would simply need to send a request to the logoff endpoint without authentication; no credentials are required, but the presence of the request must reach the target server. The overall risk is thus moderate but remains non‑negligible, especially for high‑traffic sites where a settings reset could cause significant disruption.

Generated by OpenCVE AI on April 21, 2026 at 17:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Reuters Direct plugin to the latest available release (above version 3.0.0).
  • If an update is not immediately possible, restrict access to the logoff action so that only authenticated users with the appropriate capability can execute it. This can be achieved by disabling the endpoint or modifying the plugin code to enforce a capability check.
  • Audit the WordPress installation for other plugins that may lack proper capability validations and apply updates or custom patches as necessary.

Generated by OpenCVE AI on April 21, 2026 at 17:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 28 Nov 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 27 Nov 2025 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 27 Nov 2025 03:00:00 +0000

Type Values Removed Values Added
Description The Reuters Direct plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'logoff' action in all versions up to, and including, 3.0.0. This makes it possible for unauthenticated attackers to reset the plugin's settings.
Title Reuters Direct <= 3.0.0 - Missing Authorization to Unauthenticated Settings Reset
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:49:06.782Z

Reserved: 2025-10-31T21:17:26.417Z

Link: CVE-2025-12579

cve-icon Vulnrichment

Updated: 2025-11-28T14:41:20.727Z

cve-icon NVD

Status : Deferred

Published: 2025-11-27T03:15:57.360

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12579

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T18:00:11Z

Weaknesses