Description
Missing Authorization vulnerability in LMSACE LMSACE Connect lmsace-connect allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LMSACE Connect: from n/a through <= 3.4.
Published: 2025-07-04
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The LMSACE Connect WordPress plugin contains a missing authorization check, allowing an attacker to exploit incorrectly configured access control security levels. This flaw is classified as CWE‑862 – Authorization Bypass Through User-Controlled Key. As a result, a user without legitimate privileges could gain unauthorized access to restricted portions of a WordPress site managed by the plugin or modify content intended for authenticated users.

Affected Systems

All iterations of LMSACE Connect from the earliest available version up to and including 3.4 are affected. Site administrators should identify whether their WordPress installation uses any of these versions.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, while the EPSS score of < 1 % suggests a very low probability of exploitation in the wild. The vulnerability is not included in CISA’s KEV catalog, reflecting no confirmed widespread exploitation. The likely attack vector is a web‑based interaction with the plugin’s administrative interface; however, this assessment is inferred from the plugin’s context and the nature of the missing authorization the description describes.

Generated by OpenCVE AI on May 1, 2026 at 07:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update LMSACE Connect to a version newer than 3.4
  • Verify that the plugin’s access‑control settings are properly configured and only authorized users have administrative permissions
  • If the plugin is no longer needed, remove it from the WordPress installation

Generated by OpenCVE AI on May 1, 2026 at 07:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19944 Missing Authorization vulnerability in LMSACE LMSACE Connect allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects LMSACE Connect: from n/a through 3.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in LMSACE LMSACE Connect allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects LMSACE Connect: from n/a through 3.4. Missing Authorization vulnerability in LMSACE LMSACE Connect lmsace-connect allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LMSACE Connect: from n/a through <= 3.4.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Fri, 04 Jul 2025 09:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in LMSACE LMSACE Connect allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects LMSACE Connect: from n/a through 3.4.
Title WordPress LMSACE Connect plugin <= 3.4 - Broken Access Control Vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:52.765Z

Reserved: 2025-03-11T08:11:02.522Z

Link: CVE-2025-29007

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2025-07-04T09:15:32.653

Modified: 2026-04-23T15:26:46.427

Link: CVE-2025-29007

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T07:15:11Z

Weaknesses