Description
Missing Authorization vulnerability in mgplugin EMI Calculator emi-calculator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EMI Calculator: from n/a through <= 1.1.
Published: 2025-01-31
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Missing Authorization flaw in the WordPress EMI Calculator plugin that allows an attacker to modify the plugin’s settings without proper credential checks. This can lead to unauthorized configuration changes that may alter the calculator’s behavior, potentially exposing sensitive data or disrupting normal site functionality. The weakness is classified as CWE‑862, which indicates a missing or insufficient authorization enforcement.

Affected Systems

The affected product is the WordPress EMI Calculator plugin, version 1.1 and all earlier releases. Any installation running a version through 1.1 is susceptible to this issue.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. The EPSS score of less than 1 percent suggests a low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is via the plugin’s settings page over the web interface, requiring authenticated access that is incorrectly authorized. Attackers who can authenticate to the WordPress administration area can exploit this flaw to change configuration values without appropriate permission checks.

Generated by OpenCVE AI on May 2, 2026 at 05:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WordPress EMI Calculator plugin to version 1.2 or later to apply the vendor’s fix for the missing authorization issue.
  • If an upgrade is not immediately possible, disable the plugin or remove it from the site until a patched version is available.
  • Restrict access to the plugin’s settings page via role‑based permissions, ensuring that only trusted administrators can modify configuration values, and enforce strong authentication controls for the WordPress admin area.

Generated by OpenCVE AI on May 2, 2026 at 05:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2683 Missing Authorization vulnerability in mgplugin EMI Calculator allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects EMI Calculator: from n/a through 1.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in mgplugin EMI Calculator allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects EMI Calculator: from n/a through 1.1. Missing Authorization vulnerability in mgplugin EMI Calculator emi-calculator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EMI Calculator: from n/a through <= 1.1.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00066}

 epss

{'score': 0.00083}

Fri, 31 Jan 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 31 Jan 2025 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in mgplugin EMI Calculator allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects EMI Calculator: from n/a through 1.1.
Title WordPress EMI Calculator plugin <= 1.1 - Settings Change vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:10:57.748Z

Reserved: 2025-01-02T12:02:05.151Z

Link: CVE-2025-22265

cve-icon Vulnrichment

Updated: 2025-01-31T19:30:56.164Z

cve-icon NVD

Status : Deferred

Published: 2025-01-31T09:15:07.167

Modified: 2026-06-17T08:46:00.697

Link: CVE-2025-22265

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T05:15:16Z

Weaknesses