Description
Missing Authorization vulnerability in Andy Stratton Append Content append-content allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Append Content: from n/a through <= 2.1.1.
Published: 2025-04-01
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated or low‑privileged authenticated attacker can exploit a missing authorization check in the WordPress Append Content plugin. The flaw allows the attacker to perform a CSRF attack and change the plugin's settings, potentially altering site behavior or enabling further compromise.

Affected Systems

The append-content plugin from Andy Stratton, versions from the earliest released through version 2.1.1, is impacted.

Risk and Exploitability

The CVSS score of 6.5 classifies the vulnerability as medium severity, while the EPSS score of less than 1% indicates a low probability of exploitation at the time of analysis. The plugin is not listed in the CISA KEV catalog. The likely attack vector is a cross‑site request forgery crafted as a link or form that tricks an authenticated WordPress user into submitting a request that changes plugin settings.

Generated by OpenCVE AI on May 1, 2026 at 02:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Append Content plugin to the latest available version, preferably 2.1.2 or newer.
  • Configure the plugin so that its settings are only accessible to users with the Administrator role.
  • Verify that the WordPress site’s CSRF protection mechanisms, such as nonces or form tokens, are active for plugin configuration pages.

Generated by OpenCVE AI on May 1, 2026 at 02:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9262 Missing Authorization vulnerability in Andy Stratton Append Content allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Append Content: from n/a through 2.1.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Andy Stratton Append Content allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Append Content: from n/a through 2.1.1. Missing Authorization vulnerability in Andy Stratton Append Content append-content allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Append Content: from n/a through <= 2.1.1.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Wed, 02 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 15:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Andy Stratton Append Content allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Append Content: from n/a through 2.1.1.
Title WordPress Append Content plugin <= 2.1.1 - CSRF to Settings Change vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:12.673Z

Reserved: 2025-04-01T13:19:54.844Z

Link: CVE-2025-31780

cve-icon Vulnrichment

Updated: 2025-04-02T15:19:02.955Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T15:16:15.663

Modified: 2026-04-23T15:28:16.777

Link: CVE-2025-31780

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T02:15:06Z

Weaknesses