CVE-2025-12675 - Vulnerability Details

- KiotViet Sync <= 1.8.5 - Missing Authorization to Authenticated (Subscriber+) Settings Update

Description

The KiotViet Sync plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the saveConfig() function in all versions up to, and including, 1.8.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's config.

Published: 2025-11-05

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability lies in a missing capability check within the saveConfig() function of the KiotViet Sync WordPress plugin. Because the check is omitted, any authenticated user with the Subscriber role or higher can update the plugin’s configuration data. This leaves the site open to unintended changes in synchronization settings, which could expose data or disrupt normal operations, but does not directly allow code execution or broad compromise. The weakness reflects a classic authorization failure (CWE-862).

Affected Systems

The issue affects the KiotViet Sync plugin for WordPress versions up to and including 1.8.5. Administrators and any user assigned at least the Subscriber role have the ability to trigger the vulnerable saveConfig() action and modify plugin settings.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, and the EPSS score of less than 1 % signals a low probability of exploitation under current conditions. The vulnerability is not listed in CISA’s KEV catalog, suggesting that no documented large‑scale attacks are known. An attacker would need to authenticate to the WordPress installation and possess Subscriber‑level access to exploit the flaw, which limits the attack surface to authenticated users but still allows an insider or compromised account to alter configuration data.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

mykiot

KiotViet Sync

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.8.5

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update KiotViet Sync to the latest released version (≥ 1.8.6) to remove the missing capability check.
If an immediate upgrade is not feasible, restrict the Subscriber role from accessing or editing the plugin’s settings, using a role editor plugin or custom code to revoke the capability to execute saveConfig().
Disable or uninstall the KiotViet Sync plugin if it is not required for site functionality.
Review all user roles and ensure that only trusted administrators hold the capability to modify plugin configuration settings.

Generated by OpenCVE AI on April 21, 2026 at 01:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00036.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://wordpress.org/plugins/kiotvietsync/
https://www.wordfence.com/threat-intel/vulnerabilities/id/e67c6c3f-0b2a-424f-b8f2-2771449c82b4?source=cve

History

Thu, 06 Nov 2025 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress
Vendors & Products		Wordpress Wordpress wordpress

Wed, 05 Nov 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 05 Nov 2025 07:45:00 +0000

Type	Values Removed	Values Added
Description		The KiotViet Sync plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the saveConfig() function in all versions up to, and including, 1.8.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's config.
Title		KiotViet Sync <= 1.8.5 - Missing Authorization to Authenticated (Subscriber+) Settings Update
Weaknesses		CWE-862
References		https://wordpress.org/plugins/kiotvietsync/ https://www.wordfence.com/threat-intel/vulnerabilities/id/e67c6c3f-0b2a-424f-b8f2-2771449c82b4?source=cve
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-11-05T07:27:56.886Z

Updated: 2026-04-08T17:30:12.079Z

Reserved: 2025-11-03T21:59:04.600Z

Link: CVE-2025-12675

Vulnrichment

Updated: 2025-11-05T14:13:33.946Z

NVD

Status : Deferred

Published: 2025-11-05T08:15:33.500

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12675

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T02:00:12Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object