Description
Missing Authorization vulnerability in FADI MED Editor Wysiwyg Background Color editor-wysiwyg-background-color allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Editor Wysiwyg Background Color: from n/a through <= 1.0.
Published: 2025-04-17
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The plugin suffers from a missing authorization check that allows any authenticated or potentially unauthenticated user to alter background color settings. This flaw enables an attacker to modify visual aspects of the site’s editor beyond the intended user role, effectively escalating privileges within the WordPress environment. The vulnerability is rooted in incorrect access control configuration and is classified as CWE-862.

Affected Systems

The affected software is the FADI MED Editor Wysiwyg Background Color plugin for WordPress, versions from n/a through 1.0. Users running any of these versions are susceptible.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while an EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. An attacker could exploit the issue by sending crafted HTTP requests to the plugin’s endpoints, bypassing the usual role checks. However, the requirement for the target to have some level of access to the site’s backend reduces the reach of the vulnerability.

Generated by OpenCVE AI on May 1, 2026 at 09:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Editor Wysiwyg Background Color plugin to the latest version available, or remove the plugin if no update exists.
  • Restrict application of the plugin’s features to administrator accounts only by configuring role‑based permissions in WordPress.
  • Monitor the site’s access logs for unexpected attempts to modify editor settings or for repeated access to the plugin’s endpoints.

Generated by OpenCVE AI on May 1, 2026 at 09:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11595 Missing Authorization vulnerability in FADI MED Editor Wysiwyg Background Color allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Editor Wysiwyg Background Color: from n/a through 1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in FADI MED Editor Wysiwyg Background Color allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Editor Wysiwyg Background Color: from n/a through 1.0. Missing Authorization vulnerability in FADI MED Editor Wysiwyg Background Color editor-wysiwyg-background-color allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Editor Wysiwyg Background Color: from n/a through <= 1.0.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 16:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in FADI MED Editor Wysiwyg Background Color allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Editor Wysiwyg Background Color: from n/a through 1.0.
Title WordPress Editor Wysiwyg Background Color plugin <= 1.0 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T23:59:22.098Z

Reserved: 2025-01-16T11:32:55.400Z

Link: CVE-2025-23958

cve-icon Vulnrichment

Updated: 2025-04-17T17:41:57.623Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:31.170

Modified: 2026-06-17T08:57:47.767

Link: CVE-2025-23958

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T09:30:14Z

Weaknesses