CVE-2025-22277 - Vulnerability Details

- WordPress Vitepos plugin <= 3.1.4 - Broken Authentication vulnerability

Description

Authentication Bypass Using an Alternate Path or Channel vulnerability in appsbd Vitepos vitepos-lite allows Authentication Abuse.This issue affects Vitepos: from n/a through <= 3.1.4.

Published: 2025-04-01

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The issue is an Authentication Bypass Using an Alternate Path or Channel that permits attackers to circumvent the standard login process for the WordPress Vitepos Lite plugin. By exploiting this flaw, an unauthenticated user or an attacker with limited access could gain privileged control over the plugin's administration interface, allowing them to alter store data, manage transactions, or redistribute sensitive information. The vulnerability is classified under CWE‑288 and results in unauthorized access to core functionalities.

Affected Systems

All WordPress sites running the Vitepos Lite plugin by appsbd with version 3.1.4 or earlier are affected. Any installation that has not upgraded beyond 3.1.4 remains vulnerable.

Risk and Exploitability

The flaw carries a CVSS score of 8.8, indicating high severity, while its EPSS score of less than 1% suggests a low probability of exploitation in the near term. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attacker must send a specially crafted request to an alternate path or channel to bypass authentication, a technique typically exploitable over the public network. Although the potential impact is significant, the limited exploitation likelihood makes patching a priority.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

appsbd

Vitepos

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.1.4

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the WordPress Vitepos Lite plugin to a non‑vulnerable version (3.1.5 or later).
Remove any outdated Vitepos Lite plugin files from the WordPress plugins directory to prevent accidental use of vulnerable code.
Verify that all protected sections of the site enforce standard authentication checks and confirm that role‑based access controls are correctly configured.

Generated by OpenCVE AI on May 1, 2026 at 11:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-9113	Authentication Bypass Using an Alternate Path or Channel vulnerability in appsbd Vitepos allows Authentication Abuse. This issue affects Vitepos: from n/a through 3.1.4.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00445.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/vitepos-lite/vulnerability/wordpress-vitepos-plugin-3-1-4-broken-authentication-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Authentication Bypass Using an Alternate Path or Channel vulnerability in appsbd Vitepos allows Authentication Abuse. This issue affects Vitepos: from n/a through 3.1.4.	Authentication Bypass Using an Alternate Path or Channel vulnerability in appsbd Vitepos vitepos-lite allows Authentication Abuse.This issue affects Vitepos: from n/a through <= 3.1.4.
References	https://patchstack.com/database/wordpress/plugin/vitepos-lite/vulnerability/wordpress-vitepos-plugin-3-1-4-broken-authentication-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Plugin/vitepos-lite/vulnerability/wordpress-vitepos-plugin-3-1-4-broken-authentication-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Tue, 01 Apr 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 01 Apr 2025 05:45:00 +0000

Type	Values Removed	Values Added
Description		Authentication Bypass Using an Alternate Path or Channel vulnerability in appsbd Vitepos allows Authentication Abuse. This issue affects Vitepos: from n/a through 3.1.4.
Title		WordPress Vitepos plugin <= 3.1.4 - Broken Authentication vulnerability
Weaknesses		CWE-288
References		https://patchstack.com/database/wordpress/plugin/vitepos-lite/vulnerability/wordpress-vitepos-plugin-3-1-4-broken-authentication-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-04-01T05:32:24.249Z

Updated: 2026-04-28T16:10:57.813Z

Reserved: 2025-01-03T13:15:43.299Z

Link: CVE-2025-22277

Vulnrichment

Updated: 2025-04-01T13:36:04.424Z

NVD

Status : Deferred

Published: 2025-04-01T06:15:48.170

Modified: 2026-06-17T08:46:06.153

Link: CVE-2025-22277

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-01T12:00:15Z

Weaknesses

CWE-288
Authentication Bypass Using an Alternate Path or Channel

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object