Description
The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to arbitrary shortcode execution due to a missing capability check on the 'rcl_preview_post' AJAX endpoint in all versions up to, and including, 16.26.10. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.
Published: 2025-03-08
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Shortcode Execution
Action: Immediate Patch
AI Analysis

Impact

The WP-Recall – Registration, Profile, Commerce & More plugin is vulnerable because the rcl_preview_post AJAX endpoint performs no capability check before executing a shortcode. This omission allows an authenticated attacker who has at least Subscriber level access to supply and run any arbitrary shortcode on the site, potentially leading to malicious code execution, data exfiltration, or defacement. The weakness is a classic Missing Authorization flaw (CWE-862).

Affected Systems

All installations of the WP-Recall plugin for WordPress up to and including version 16.26.10 are affected. The problem exists in the master plugin bundle and all add‑on modules that expose the rcl_preview_post endpoint. Any WordPress site that has not yet upgraded past 16.26.10 is therefore at risk.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.3, indicating moderate severity. The EPSS score of less than 1% shows that exploitation is unlikely to be widespread, and it is not listed in the CISA KEV catalog. Attackers must first be authenticated (Subscriber or higher) and then target the rcl_preview_post AJAX route, typically by submitting a crafted request from the browser or via a script. Given these constraints, the risk is significant for sites that grant many users Subscriber privileges but is unlikely to be exploited against highly secure or low‑privilege deployments.

Generated by OpenCVE AI on April 20, 2026 at 23:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP-Recall to version 16.27 or later.
  • If upgrading is not immediately possible, restrict the rcl_preview_post AJAX endpoint so that only users with appropriate capabilities can access it, or block the endpoint with a firewall rule.
  • Monitor the site for unusual shortcode execution patterns and log entries referencing the rcl_preview_post endpoint to detect potential abuse.

Generated by OpenCVE AI on April 20, 2026 at 23:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7393 The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to arbitrary shortcode execution due to a missing capability check on the 'rcl_preview_post' AJAX endpoint in all versions up to, and including, 16.26.10. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.
History

Mon, 24 Mar 2025 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Plechevandrey
Plechevandrey wp-recall
CPEs cpe:2.3:a:plechevandrey:wp-recall:*:*:*:*:*:wordpress:*:*
Vendors & Products Plechevandrey
Plechevandrey wp-recall

Tue, 11 Mar 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 08 Mar 2025 09:30:00 +0000

Type Values Removed Values Added
Description The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to arbitrary shortcode execution due to a missing capability check on the 'rcl_preview_post' AJAX endpoint in all versions up to, and including, 16.26.10. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.
Title WP-Recall – Registration, Profile, Commerce & More <= 16.26.10 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Exeuction
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Plechevandrey Wp-recall
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:15:09.378Z

Reserved: 2025-02-14T23:37:00.296Z

Link: CVE-2025-1325

cve-icon Vulnrichment

Updated: 2025-03-10T16:56:59.224Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-08T10:15:11.427

Modified: 2025-03-24T18:12:02.770

Link: CVE-2025-1325

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T23:45:21Z

Weaknesses