Description
Missing Authorization vulnerability in matthewrubin Review Manager review-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Review Manager: from n/a through <= 2.5.0.
Published: 2025-04-01
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization flaw in the Review Manager plugin for WordPress, allowing attackers to exploit incorrectly configured access control security levels. This flaw can enable unauthorized users to perform privileged actions within the review management interface, potentially leading to data tampering and manipulation of review content. The weakness is categorized as CWE‑862, which describes missing privileges checks or access controls.

Affected Systems

Review Manager, a plugin created by matthewrubin, is impacted. All released versions up to and including 2.5.0 are vulnerable, as the issue exists from the initial release through the 2.5.0 release. Instances running any of these versions are at risk until an update that addresses the flaw is available.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation at the time of analysis. This vulnerability is not currently listed in CISA’s KEV catalog, implying it has not yet been widely abused. The likely attack vector involves remote exploitation via WordPress URLs that expose review management functions; an attacker with internet access to the site could craft requests to these endpoints without proper authorization, as the control checks are missing.

Generated by OpenCVE AI on May 1, 2026 at 11:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the vendor’s official website or support documentation for any patches or newer releases that address this access control flaw, and upgrade if such a fix is available.
  • If an immediate update is not possible, block or restrict the admin URLs used by the plugin through firewall rules or web‑application firewall settings to prevent unauthenticated access.
  • Verify that WordPress role permissions are correctly configured so that only authorized users can create, edit, or delete reviews, ensuring the plugin functions as intended.

Generated by OpenCVE AI on May 1, 2026 at 11:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9203 Missing Authorization vulnerability in matthewrubin Review Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Review Manager: from n/a through 2.2.0.
History

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in matthewrubin Review Manager review-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Review Manager: from n/a through <= 2.6.0. Missing Authorization vulnerability in matthewrubin Review Manager review-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Review Manager: from n/a through <= 2.5.0.
Title WordPress Review Manager plugin <= 2.6.0 - Broken Access Control vulnerability WordPress Review Manager plugin <= 2.5.0 - Broken Access Control vulnerability

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in matthewrubin Review Manager review-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Review Manager: from n/a through <= 2.5.0. Missing Authorization vulnerability in matthewrubin Review Manager review-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Review Manager: from n/a through <= 2.6.0.
Title WordPress Review Manager plugin <= 2.5.0 - Broken Access Control vulnerability WordPress Review Manager plugin <= 2.6.0 - Broken Access Control vulnerability
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in matthewrubin Review Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Review Manager: from n/a through 2.2.0. Missing Authorization vulnerability in matthewrubin Review Manager review-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Review Manager: from n/a through <= 2.5.0.
Title WordPress Review Manager Plugin <= 2.2.0 - Broken Access Control vulnerability WordPress Review Manager plugin <= 2.5.0 - Broken Access Control vulnerability
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Tue, 01 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 15:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in matthewrubin Review Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Review Manager: from n/a through 2.2.0.
Title WordPress Review Manager Plugin <= 2.2.0 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:14.219Z

Reserved: 2025-04-01T13:20:41.854Z

Link: CVE-2025-31836

cve-icon Vulnrichment

Updated: 2025-04-01T18:55:32.469Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T15:16:24.100

Modified: 2026-04-28T19:31:20.290

Link: CVE-2025-31836

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T11:45:16Z

Weaknesses