Description
Missing Authorization vulnerability in WPWebinarSystem WebinarPress wp-webinarsystem allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WebinarPress: from n/a through <= 1.33.28.
Published: 2025-04-01
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization flaw that allows attackers to perform actions that should be restricted. The flaw is classified as CWE-862, which indicates improper privilege or permission handling. An attacker empowered by this weakness can access or manipulate webinar configurations and participant data beyond their intended privileges, potentially exposing sensitive information or disrupting scheduled events.

Affected Systems

WordPress sites that use the WPWebinarSystem WebinarPress plugin, including the lite version, are affected when running versions up to and including 1.33.28. The vulnerability applies to all deployments of the plugin with any user role that can interact with the webinar management interface.

Risk and Exploitability

The CVSS score is 4.3, representing moderate severity, and the EPSS score is less than 1%, indicating a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote access via HTTP requests to the plugin’s API or administrative pages. An attacker does not need special privileges beyond being able to reach the site; typical exploitation would involve sending crafted requests to the plugin endpoints to elevate privileges or access restricted data.

Generated by OpenCVE AI on May 1, 2026 at 01:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the webinarpress plugin to the latest release (versions newer than 1.33.28).
  • Enforce least‑privilege by restricting user roles that can configure or manage webinars, ensuring only trusted administrators have complete control.
  • Deploy a web‑application firewall rule set that blocks unauthorized requests to the plugin’s endpoints, such as unexpected POST or GET parameters that could be used for privilege escalation.

Generated by OpenCVE AI on May 1, 2026 at 01:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9150 Missing Authorization vulnerability in WPWebinarSystem WebinarPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WebinarPress: from n/a through 1.33.27.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in WPWebinarSystem WebinarPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WebinarPress: from n/a through 1.33.27. Missing Authorization vulnerability in WPWebinarSystem WebinarPress wp-webinarsystem allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WebinarPress: from n/a through <= 1.33.28.
Title WordPress WordPress Webinar Plugin <= 1.33.27 - Broken Access Control vulnerability WordPress Webinar Plugin <= 1.33.28 - Broken Access Control vulnerability
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Wed, 28 Jan 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Webinarpress
Webinarpress webinarpress
CPEs cpe:2.3:a:webinarpress:webinarpress:*:*:*:*:lite:wordpress:*:*
Vendors & Products Webinarpress
Webinarpress webinarpress

Tue, 01 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 15:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in WPWebinarSystem WebinarPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WebinarPress: from n/a through 1.33.27.
Title WordPress WordPress Webinar Plugin <= 1.33.27 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Webinarpress Webinarpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:15.269Z

Reserved: 2025-04-01T13:21:22.233Z

Link: CVE-2025-31882

cve-icon Vulnrichment

Updated: 2025-04-01T15:40:49.496Z

cve-icon NVD

Status : Modified

Published: 2025-04-01T15:16:30.967

Modified: 2026-04-23T15:28:28.813

Link: CVE-2025-31882

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T01:45:05Z

Weaknesses