CVE-2025-23512 - Vulnerability Details

- WordPress Team 118GROUP Agent plugin <= 1.6.0 - Arbitrary Content Deletion vulnerability

Description

Missing Authorization vulnerability in 118group Team 118GROUP Agent team-118group-agent allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Team 118GROUP Agent: from n/a through <= 1.6.0.

Published: 2025-01-22

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw is a missing authorization issue that allows improper use of the Team 118GROUP Agent WordPress plugin to delete content at will. Because the plugin does not enforce sufficient access control checks, an attacker can invoke deletion functions that otherwise should be restricted. The primary consequence is the loss or modification of website content, potentially compromising the integrity of the site.

Affected Systems

Any WordPress site running the Team 118GROUP Agent plugin with a version of 1.6.0 or earlier is affected. This includes installations that have not yet upgraded beyond that release.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.5, indicating high severity. Its EPSS score is reported as less than 1%, suggesting a low current exploitation probability, and it is not currently listed in the CISA KEV catalog. The likely attack vector is the exploitation of incorrect access control, which may require valid credentials or a misconfigured role. An attacker who gains the requisite privileges could delete arbitrary content without proper authorization checks.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

118group

Team 118GROUP Agent

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.6.0

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Team 118GROUP Agent to any version newer than 1.6.0
If upgrading is not possible, immediately disable or remove the plugin to prevent deletion actions
Revise user role definitions so that only trusted administrators can access content‑deletion features and audit logs for unauthorized attempts

Generated by OpenCVE AI on May 1, 2026 at 19:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-3222	Missing Authorization vulnerability in Team118GROUP Team 118GROUP Agent allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Team 118GROUP Agent: from n/a through 1.6.0.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00609.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/team-118group-agent/vulnerability/wordpress-team-118group-agent-plugin-1-6-0-arbitrary-content-deletion-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Missing Authorization vulnerability in Team118GROUP Team 118GROUP Agent allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Team 118GROUP Agent: from n/a through 1.6.0.	Missing Authorization vulnerability in 118group Team 118GROUP Agent team-118group-agent allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Team 118GROUP Agent: from n/a through <= 1.6.0.
References	https://patchstack.com/database/wordpress/plugin/team-118group-agent/vulnerability/wordpress-team-118group-agent-plugin-1-6-0-arbitrary-content-deletion-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Plugin/team-118group-agent/vulnerability/wordpress-team-118group-agent-plugin-1-6-0-arbitrary-content-deletion-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Wed, 22 Jan 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 22 Jan 2025 14:45:00 +0000

Type	Values Removed	Values Added
Description		Missing Authorization vulnerability in Team118GROUP Team 118GROUP Agent allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Team 118GROUP Agent: from n/a through 1.6.0.
Title		WordPress Team 118GROUP Agent plugin <= 1.6.0 - Arbitrary Content Deletion vulnerability
Weaknesses		CWE-862
References		https://patchstack.com/database/wordpress/plugin/team-118group-agent/vulnerability/wordpress-team-118group-agent-plugin-1-6-0-arbitrary-content-deletion-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-01-22T14:29:14.122Z

Updated: 2026-04-28T16:11:11.628Z

Reserved: 2025-01-16T11:25:42.451Z

Link: CVE-2025-23512

Vulnrichment

Updated: 2025-01-22T16:18:23.551Z

NVD

Status : Deferred

Published: 2025-01-22T15:15:17.160

Modified: 2026-06-17T08:54:57.823

Link: CVE-2025-23512

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-01T20:00:13Z

Weaknesses

CWE-862
Missing Authorization

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object