Description
Missing Authorization vulnerability in WordLift WordLift wordlift allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordLift: from n/a through <= 3.54.4.
Published: 2025-06-06
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization mechanism in the WordLift plugin that allows attackers to exploit incorrectly configured access control security levels. Because the plugin fails to enforce proper user permissions, an attacker can access privileged functions and manipulate the plugin’s behavior. This flaw could lead to unauthorized data exposure or content modification, compromising the integrity of the site.

Affected Systems

WordLift plugin for WordPress, versions from the earliest release up through version 3.54.4. Any WordPress installation that has WordLift installed and has not upgraded beyond 3.54.4 is potentially affected.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity. The EPSS score of less than 1% suggests a low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves an attacker who has some level of access to the WordPress site, such as a user with contributor or author privileges, exploiting the plugin’s exposed management pages to gain unauthorized privilege. Because the flaw is an access control issue rather than a remote code execution bug, the attack would require the attacker to interact with the WordPress backend or plugin interfaces.

Generated by OpenCVE AI on May 1, 2026 at 07:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WordLift plugin to the latest version (>= 3.54.5) which resolves the access control flaw.
  • Verify that the plugin’s configuration pages are restricted to administrators only; review the plugin’s settings after an upgrade.
  • Inspect the WordPress user roles and remove any unnecessary privileges, ensuring only administrators can access the plugin’s management features.

Generated by OpenCVE AI on May 1, 2026 at 07:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17190 Missing Authorization vulnerability in WordLift WordLift allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WordLift: from n/a through 3.54.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in WordLift WordLift allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WordLift: from n/a through 3.54.4. Missing Authorization vulnerability in WordLift WordLift wordlift allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordLift: from n/a through <= 3.54.4.
Title WordPress WordLift <= 3.54.4 - Broken Access Control Vulnerability WordPress WordLift plugin <= 3.54.4 - Broken Access Control Vulnerability
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Fri, 06 Jun 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Jun 2025 13:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in WordLift WordLift allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WordLift: from n/a through 3.54.4.
Title WordPress WordLift <= 3.54.4 - Broken Access Control Vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordlift Wordlift
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:55.940Z

Reserved: 2025-03-24T13:00:55.839Z

Link: CVE-2025-30624

cve-icon Vulnrichment

Updated: 2025-06-06T15:36:51.891Z

cve-icon NVD

Status : Deferred

Published: 2025-06-06T13:15:31.637

Modified: 2026-04-23T15:26:59.517

Link: CVE-2025-30624

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:00:13Z

Weaknesses