Description
Missing Authorization vulnerability in Ashish Ajani WP Simple HTML Sitemap wp-simple-html-sitemap allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Simple HTML Sitemap: from n/a through <= 3.5.
Published: 2025-04-01
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization flaw in the WP Simple HTML Sitemap plugin that allows attackers to access and manipulate sitemap content without proper permissions. This leads to unauthorized viewing, editing, or deletion of sitemap data, potentially exposing website structure and internal pages. The weakness is classified under CWE-862, indicating an improper authorization control.

Affected Systems

The flaw affects the WP Simple HTML Sitemap plugin developed by Ashish Ajani. All released versions from the initial release up to and including version 3.5 are susceptible. No specific sub‑versions are listed, so users should assume that any version equal to or older than 3.5 may be impacted.

Risk and Exploitability

The vulnerability has a CVSS score of 5.3, indicating moderate severity, and an EPSS score of less than 1%, suggesting a low likelihood of exploitation in the wild. It is not listed in the CISA KEV catalog. Likely exploitability requires the attacker to access the plugin’s management endpoints over the web, where the access control check is missing. The attack vector is consequently a web-based, publicly reachable service that can be abused by any user without further authentication or privileges.

Generated by OpenCVE AI on May 1, 2026 at 02:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Simple HTML Sitemap plugin to the latest available version (3.6 or newer) which includes the access control fix.
  • If an update is not immediately feasible, restrict web access to the plugin’s administrative URLs using server‑side rules such as .htaccess or firewall configurations so that only authenticated administrators can reach them.
  • Disable or remove the plugin entirely from the WordPress installation if the sitemap feature is not required.

Generated by OpenCVE AI on May 1, 2026 at 02:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9224 Missing Authorization vulnerability in Ashish Ajani WP Simple HTML Sitemap allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Simple HTML Sitemap: from n/a through 3.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Ashish Ajani WP Simple HTML Sitemap allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Simple HTML Sitemap: from n/a through 3.2. Missing Authorization vulnerability in Ashish Ajani WP Simple HTML Sitemap wp-simple-html-sitemap allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Simple HTML Sitemap: from n/a through <= 3.5.
Title WordPress WordPress Simple HTML Sitemap plugin <= 3.2 - Broken Access Control vulnerability WordPress WordPress Simple HTML Sitemap plugin <= 3.4 - Broken Access Control vulnerability
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Tue, 01 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 15:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Ashish Ajani WP Simple HTML Sitemap allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Simple HTML Sitemap: from n/a through 3.2.
Title WordPress WordPress Simple HTML Sitemap plugin <= 3.2 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Ashish Ajani Wp Simple Html Sitemap
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:13.697Z

Reserved: 2025-04-01T13:20:32.605Z

Link: CVE-2025-31822

cve-icon Vulnrichment

Updated: 2025-04-01T18:11:28.127Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T15:16:22.273

Modified: 2026-04-23T15:28:21.667

Link: CVE-2025-31822

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T02:15:06Z

Weaknesses