Description
Missing Authorization vulnerability in Jaap Jansma Connector to CiviCRM with CiviMcRestFace connector-civicrm-mcrestface allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Connector to CiviCRM with CiviMcRestFace: from n/a through <= 1.0.10.
Published: 2025-03-31
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a missing authorization flaw that allows the WordPress Connector to CiviCRM with CiviMcRestFace to be exploited when access control is incorrectly configured. An attacker who can reach the affected plugin’s endpoints may gain unauthorized access to protected functionality, potentially exposing sensitive data or modifying records. The weakness is identified as CWE‑862. The impact is that any user or service that can invoke the plugin’s API could perform actions beyond their intended authorization scope, which can compromise confidentiality, integrity, or availability of the CiviCRM data.

Affected Systems

Users of the Jaap Jansma Connector to CiviCRM with CiviMcRestFace plugin, versions from the earliest release through 1.0.10, are affected. No narrower version range is specified beyond the stated upper bound.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score of less than 1% suggests low likelihood of exploitation at this time. The vulnerability is not yet listed in the CISA KEV catalog. Based on the description, the likely attack vector involves interaction with the plugin’s web interface or API endpoints; however, the exact prerequisites are not detailed, so the attack is considered to be possibly achievable via authenticated or unauthenticated access depending on site configuration.

Generated by OpenCVE AI on May 1, 2026 at 02:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Connector to CiviCRM with CiviMcRestFace plugin to version 1.0.11 or later, if available, to eliminate the missing authorization flaw.
  • Re‑configure the plugin’s access control settings to ensure that only authorized WordPress users or roles can invoke the plugin’s functionality.
  • Enforce strict role‑based permissions in WordPress so that users who do not need CMS or plugin administrative access are limited to the least privileged level.

Generated by OpenCVE AI on May 1, 2026 at 02:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8770 Missing Authorization vulnerability in Jaap Jansma Connector to CiviCRM with CiviMcRestFace allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Connector to CiviCRM with CiviMcRestFace: from n/a through 1.0.9.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Jaap Jansma Connector to CiviCRM with CiviMcRestFace allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Connector to CiviCRM with CiviMcRestFace: from n/a through 1.0.9. Missing Authorization vulnerability in Jaap Jansma Connector to CiviCRM with CiviMcRestFace connector-civicrm-mcrestface allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Connector to CiviCRM with CiviMcRestFace: from n/a through <= 1.0.10.
Title WordPress Connector to CiviCRM with CiviMcRestFace plugin <= 1.0.9 - Broken Access Control vulnerability WordPress Connector to CiviCRM with CiviMcRestFace plugin <= 1.0.10 - Broken Access Control vulnerability
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Mon, 31 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 31 Mar 2025 13:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Jaap Jansma Connector to CiviCRM with CiviMcRestFace allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Connector to CiviCRM with CiviMcRestFace: from n/a through 1.0.9.
Title WordPress Connector to CiviCRM with CiviMcRestFace plugin <= 1.0.9 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:10.431Z

Reserved: 2025-03-31T10:06:23.643Z

Link: CVE-2025-31618

cve-icon Vulnrichment

Updated: 2025-03-31T14:44:40.466Z

cve-icon NVD

Status : Deferred

Published: 2025-03-31T13:15:56.137

Modified: 2026-04-23T15:28:05.243

Link: CVE-2025-31618

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T03:00:08Z

Weaknesses