Description
Missing Authorization vulnerability in AmentoTech Private Limited WPGuppy wpguppy-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPGuppy: from n/a through <= 1.1.0.
Published: 2025-02-03
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization flaw that allows attackers to bypass the authentication mechanism in AmentoTech Private Limited’s WPGuppy plugin, enabling them to access privileged administrative functions that should be restricted. Because the plugin’s access control is incorrectly implemented, an unauthenticated user could perform actions such as modifying content, changing settings, or potentially taking full control of the WordPress site. This direct unauthorized access flaw corresponds to CWE-862 and could lead to data exposure, integrity violations, or availability disruptions for sites that rely on WPGuppy.

Affected Systems

The affected product is AmentoTech Private Limited’s WPGuppy WordPress plugin, versions up to and including 1.1.0. Any WordPress installation that has installed a version of WPGuppy 1.1.0 or older is potentially vulnerable, regardless of which theme or other plugins are active.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, while the EPSS score of less than 1% suggests that exploitation is currently uncommon. The vulnerability is not listed in the CISA KEV catalog, implying no publicly known active exploit at the time of this analysis. Attackers can reach the flaw through normal web traffic to the WordPress site; they require no special network access beyond the ability to send HTTP requests to the target. The failure of access control means any attacker who discovers the vulnerable plugin instance can potentially perform privileged actions, provided that the WordPress site’s user role configuration allows administrative access once the flaw is exploited.

Generated by OpenCVE AI on May 1, 2026 at 17:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WPGuppy plugin to the latest version that contains the authentication fix; verify that the installed version is newer than 1.1.0.
  • Review WordPress user roles and ensure that only required administrative privileges are granted; remove any unnecessary superuser accounts.
  • Disable or uninstall older or abandoned copies of the WPGuppy plugin to prevent accidental use of the vulnerable code.
  • Regularly monitor WordPress logs for unauthorized access attempts and keep core WordPress, themes, and all plugins updated to reduce future risk.

Generated by OpenCVE AI on May 1, 2026 at 17:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3842 Missing Authorization vulnerability in Amento Tech Pvt ltd WPGuppy allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WPGuppy: from n/a through 1.1.0.
History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Amento Tech Pvt ltd WPGuppy allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WPGuppy: from n/a through 1.1.0. Missing Authorization vulnerability in AmentoTech Private Limited WPGuppy wpguppy-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPGuppy: from n/a through <= 1.1.0.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00066}

 epss

{'score': 0.00083}

Mon, 03 Feb 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 03 Feb 2025 14:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Amento Tech Pvt ltd WPGuppy allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WPGuppy: from n/a through 1.1.0.
Title WordPress WPGuppy plugin <= 1.1.0 - Broken Authentication vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:51:54.268Z

Reserved: 2025-01-23T14:51:41.776Z

Link: CVE-2025-24643

cve-icon Vulnrichment

Updated: 2025-02-03T16:00:40.879Z

cve-icon NVD

Status : Deferred

Published: 2025-02-03T15:15:28.537

Modified: 2026-04-29T10:16:41.837

Link: CVE-2025-24643

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T17:45:15Z

Weaknesses