Description
Missing Authorization vulnerability in Mark Winiarski WPLingo wplingo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPLingo: from n/a through <= 1.1.2.
Published: 2025-02-14
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from a missing authorization check in the Mark Winiarski WPLingo plugin, allowing a user to delete content arbitrarily. The weakness is an unauthorized access flaw, classified as CWE‑862, and can compromise the integrity of the site’s data without compromising confidentiality. The attack does not grant code execution or elevate privileges beyond content deletion functionality.

Affected Systems

The flaw affects any WordPress site running the WPLingo plugin version 1.1.2 or earlier. No specific WordPress core version is mentioned, so any installation employing a vulnerable plugin instance is at risk.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, and the EPSS score of < 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The attack vector is likely remote, as an authenticated user with insufficient permissions could trigger deletion requests through the plugin’s exposed interfaces, but formal authentication prerequisites are not detailed; the main risk remains that any user with access could delete arbitrary content.

Generated by OpenCVE AI on May 1, 2026 at 16:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WPLingo to the latest available version (greater than 1.1.2).
  • If an update is not immediately available, restrict or disable the plugin until a fix is applied.
  • Implement routine content integrity monitoring and backup procedures to detect and recover from unauthorized deletion events.

Generated by OpenCVE AI on May 1, 2026 at 16:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3235 Missing Authorization vulnerability in Mark Winiarski WPLingo allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WPLingo: from n/a through 1.1.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Mark Winiarski WPLingo allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WPLingo: from n/a through 1.1.2. Missing Authorization vulnerability in Mark Winiarski WPLingo wplingo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPLingo: from n/a through <= 1.1.2.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.0005}

 epss

{'score': 0.00055}

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00069}

 epss

{'score': 0.0005}

Fri, 14 Feb 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 14 Feb 2025 13:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Mark Winiarski WPLingo allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WPLingo: from n/a through 1.1.2.
Title WordPress WPLingo plugin <= 1.1.2 - Arbitrary Content Deletion vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T23:36:08.116Z

Reserved: 2025-01-16T11:25:56.884Z

Link: CVE-2025-23534

cve-icon Vulnrichment

Updated: 2025-02-14T15:36:16.624Z

cve-icon NVD

Status : Deferred

Published: 2025-02-14T13:15:43.980

Modified: 2026-06-17T08:55:09.700

Link: CVE-2025-23534

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T16:45:20Z

Weaknesses