Description
Missing Authorization vulnerability in Pravin Durugkar User Sync ActiveCampaign registered-user-sync-activecampaign allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Sync ActiveCampaign: from n/a through <= 1.3.2.
Published: 2025-01-16
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing authorization check in the Pravin Durugkar User Sync ActiveCampaign WordPress plugin enables an attacker to exploit incorrectly configured access control settings. The flaw allows unauthorized users to interact with the plugin’s functionality, potentially exposing or altering sensitive data that the plugin processes. The vulnerability is present in all releases up to and including version 1.3.2.

Affected Systems

The affected product is the User Sync ActiveCampaign plugin developed by Pravin Durugkar. Versions up to 1.3.2 are impacted; newer releases are not affected.

Risk and Exploitability

The CVSS score of 5.4 indicates medium severity. The EPSS score of less than 1% indicates a low likelihood of exploitation in the current threat landscape, and the issue is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker could exploit this by having access to a WordPress site that has the vulnerable plugin installed and could send crafted requests to the plugin’s endpoints. No special conditions are required beyond the presence of the plugin on a live web application.

Generated by OpenCVE AI on May 2, 2026 at 06:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the User Sync ActiveCampaign plugin to the latest version (greater than 1.3.2) to remove the missing authorization flaw.
  • Restrict WordPress user roles to the minimum privileges required for the plugin’s operation, ensuring that only authorized administrators can access its settings.
  • If the plugin is not required, deactivate or uninstall it to eliminate the vulnerable code path.

Generated by OpenCVE AI on May 2, 2026 at 06:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3411 Missing Authorization vulnerability in Pravin Durugkar User Sync ActiveCampaign allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Sync ActiveCampaign: from n/a through 1.3.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Pravin Durugkar User Sync ActiveCampaign allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Sync ActiveCampaign: from n/a through 1.3.2. Missing Authorization vulnerability in Pravin Durugkar User Sync ActiveCampaign registered-user-sync-activecampaign allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Sync ActiveCampaign: from n/a through <= 1.3.2.
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Fri, 17 Jan 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Jan 2025 20:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Pravin Durugkar User Sync ActiveCampaign allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Sync ActiveCampaign: from n/a through 1.3.2.
Title WordPress User Sync ActiveCampaign plugin <= 1.3.2 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T22:58:51.316Z

Reserved: 2025-01-16T11:30:05.455Z

Link: CVE-2025-23778

cve-icon Vulnrichment

Updated: 2025-01-17T17:18:43.173Z

cve-icon NVD

Status : Deferred

Published: 2025-01-16T21:15:19.483

Modified: 2026-06-17T08:57:07.907

Link: CVE-2025-23778

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T06:15:06Z

Weaknesses