Description
The KiotViet Sync plugin for WordPress is vulnerable to authorizarion bypass in all versions up to, and including, 1.8.5. This is due to the plugin using a hardcoded password for authentication in the QueryControllerAdmin::authenticated function. This makes it possible for unauthenticated attackers to create and sync products.
Published: 2025-11-05
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Apply patch
AI Analysis

Impact

The KiotViet Sync plugin for WordPress stores a hard‑coded password for authentication, allowing an attacker without valid credentials to bypass the plugin’s authorization checks. This vulnerability permits unauthenticated users to create new products and trigger synchronization events, compromising the integrity of the site’s product data and potentially enabling further malicious activity. The weakness corresponds to CWE‑259: Hard‑coded Password.

Affected Systems

The vulnerability affects the mykiot KiotViet Sync plugin in all releases up to and including version 1.8.5.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the near term. The plugin is not listed in CISA KEV. Based on the description, it is inferred that an attacker can exploit this by sending crafted HTTP requests to the plugin’s QueryControllerAdmin endpoint from any network location, enabling authentication bypass in a remote manner.

Generated by OpenCVE AI on April 21, 2026 at 01:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest version of KiotViet Sync (≥1.8.6) which removes the hard‑coded password.
  • If an update is not immediately available, disable or uninstall the plugin to prevent unauthenticated access.
  • Replace any hard‑coded credentials in the plugin’s authentication hooks with a unique, non‑default password to eliminate the vulnerability.
  • Regularly inspect the WordPress site for unauthorized product creation or sync activity and change the site admin password periodically.

Generated by OpenCVE AI on April 21, 2026 at 01:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 06 Nov 2025 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 05 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 05 Nov 2025 07:45:00 +0000

Type Values Removed Values Added
Description The KiotViet Sync plugin for WordPress is vulnerable to authorizarion bypass in all versions up to, and including, 1.8.5. This is due to the plugin using a hardcoded password for authentication in the QueryControllerAdmin::authenticated function. This makes it possible for unauthenticated attackers to create and sync products.
Title KiotViet Sync <= 1.8.5 - Use of Hard-coded Password to Authorization Bypass
Weaknesses CWE-259
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:12:43.962Z

Reserved: 2025-11-03T22:02:11.284Z

Link: CVE-2025-12676

cve-icon Vulnrichment

Updated: 2025-11-05T14:20:38.395Z

cve-icon NVD

Status : Deferred

Published: 2025-11-05T08:15:33.680

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12676

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T02:00:12Z

Weaknesses