Description
Missing Authorization vulnerability in Frank P. Walentynowicz FPW Category Thumbnails fpw-category-thumbnails allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FPW Category Thumbnails: from n/a through <= 1.9.5.
Published: 2025-04-03
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The FPW Category Thumbnails plugin for WordPress omits an authorization check on its administrative endpoints, allowing an attacker who can reach those URLs to gain unauthorized control over the plugin’s configuration and content management. This flaw can be used to alter, delete, or add category thumbnails, potentially disrupting site appearance and functionality. The weakness is classified as CWE‑862, Unauthorized Access to a Resource.

Affected Systems

Frank P. Walentynowicz’s FPW Category Thumbnails plugin for WordPress, versions up to and including 1.9.5, is impacted. No other products or version ranges are listed as affected.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity, while the EPSS score of less than 1% reflects a very low likelihood of exploitation and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is to send crafted HTTP requests to the plugin’s administrative URLs; based on the description, it is inferred that the attacker may need to be authenticated to the site or exploit another weakness that grants access to the management pages. If successful, the attacker would gain unauthorized administrative privileges over the plugin, compromising integrity and possibly affecting the broader WordPress site.

Generated by OpenCVE AI on May 1, 2026 at 11:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the FPW Category Thumbnails plugin to a version newer than 1.9.5 where the access control issue has been fixed.
  • Verify that the plugin’s administrative URLs are protected by ensuring only users with the Administrator role can access them, for example by checking role capabilities before executing admin functions.
  • If an update cannot be applied immediately, disable the vulnerable plugin or remove its administrative endpoints to prevent abuse of the broken access control.
  • Monitor server logs for suspicious activity involving the plugin’s management pages to detect potential exploitation attempts.

Generated by OpenCVE AI on May 1, 2026 at 11:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-14734 Missing Authorization vulnerability in Frank P. Walentynowicz FPW Category Thumbnails allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects FPW Category Thumbnails: from n/a through 1.9.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Frank P. Walentynowicz FPW Category Thumbnails allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects FPW Category Thumbnails: from n/a through 1.9.5. Missing Authorization vulnerability in Frank P. Walentynowicz FPW Category Thumbnails fpw-category-thumbnails allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FPW Category Thumbnails: from n/a through <= 1.9.5.
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Thu, 03 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 03 Apr 2025 13:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Frank P. Walentynowicz FPW Category Thumbnails allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects FPW Category Thumbnails: from n/a through 1.9.5.
Title WordPress FPW Category Thumbnails Plugin <= 1.9.5 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:14.192Z

Reserved: 2025-04-01T13:20:50.879Z

Link: CVE-2025-31841

cve-icon Vulnrichment

Updated: 2025-04-03T18:50:57.368Z

cve-icon NVD

Status : Deferred

Published: 2025-04-03T14:15:40.720

Modified: 2026-04-23T15:28:23.823

Link: CVE-2025-31841

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T11:30:15Z

Weaknesses