Description
Missing Authorization vulnerability in Sandeep Kumar WP Video Playlist wp-video-playlist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Video Playlist: from n/a through <= 1.1.2.
Published: 2025-04-03
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization check that allows an attacker to modify the settings of the WP Video Playlist plugin. Without proper access control, a malicious user can change configuration values, potentially redirecting video links, altering display options, or exposing sensitive data. The primary consequence is privilege escalation within the WordPress site, granting the attacker unauthorized control over plugin behavior.

Affected Systems

Sandeep Kumar’s WP Video Playlist plugin for WordPress. Versions from the first release through 1.1.2 are affected. Any WordPress installation that has the plugin installed, regardless of the site user base, may be susceptible if the plugin is present and the attacker has a way to reach its settings page.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. The EPSS score of <1% suggests that the likelihood of exploitation is low as of the latest data, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, the flaw is exploitable remotely via the WordPress admin interface once a user can reach the plugin’s configuration page. Because it lacks an authentication requirement, an unauthenticated or low‑privilege user could potentially manipulate settings, making the attack vector likely remote through a web interface.

Generated by OpenCVE AI on May 1, 2026 at 01:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Video Playlist plugin to the latest available version that contains the authorization fix; avoid keeping the plugin at version 1.1.2 or earlier.
  • If upgrading is not immediately possible, temporarily disable or delete the plugin from the WordPress installation to eliminate the exposed configuration interface.
  • Enforce strict role‑based access controls so that only administrators are granted the capability to modify plugin settings; review and adjust capability assignments for the ‘edit_plugin_options’ or equivalent capability.
  • Review site logs for anomalous changes to plugin settings and, if the plugin remains essential, consider enhanced monitoring for configuration alterations.

Generated by OpenCVE AI on May 1, 2026 at 01:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-14747 Missing Authorization vulnerability in Sandeep Kumar WP Video Playlist allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Video Playlist: from n/a through 1.1.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Sandeep Kumar WP Video Playlist allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Video Playlist: from n/a through 1.1.2. Missing Authorization vulnerability in Sandeep Kumar WP Video Playlist wp-video-playlist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Video Playlist: from n/a through <= 1.1.2.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Thu, 03 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 03 Apr 2025 13:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Sandeep Kumar WP Video Playlist allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Video Playlist: from n/a through 1.1.2.
Title WordPress WP Video Playlist plugin <= 1.1.2 - Settings Change vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:09.540Z

Reserved: 2025-03-31T10:05:51.138Z

Link: CVE-2025-31581

cve-icon Vulnrichment

Updated: 2025-04-03T14:59:57.965Z

cve-icon NVD

Status : Deferred

Published: 2025-04-03T14:15:37.550

Modified: 2026-04-23T15:28:00.393

Link: CVE-2025-31581

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T01:15:05Z

Weaknesses