Description
Missing Authorization vulnerability in 6Storage 6Storage Rentals 6storage-rentals allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 6Storage Rentals: from n/a through <= 2.20.2.
Published: 2025-04-04
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The 6Storage Rentals plugin for WordPress contains a missing authorization flaw that allows attackers to exploit incorrectly configured access control security levels. Because the plugin does not enforce proper user role checks, privileged operations or restricted content could be accessed by unauthorized users. This weakness is classified as CWE‑862, which highlights vulnerabilities in authorization enforcement.

Affected Systems

WordPress sites that use the 6Storage Rentals plugin up to and including version 2.20.2 are affected. The vulnerability applies to all installations of this plugin that rely on the default or custom access settings provided prior to the release of version 2.20.3.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate impact, while an EPSS score of less than 1% suggests that the likelihood of exploitation is low at present. The vulnerability is not listed in the CISA KEV catalog. Based on the nature of the flaw, the likely attack vector involves interacting with the plugin’s API or administrative interfaces, either through authenticated user accounts or via publicly reachable URLs if the site’s configuration exposes them.

Generated by OpenCVE AI on May 1, 2026 at 11:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the 6Storage Rentals plugin to a version newer than 2.20.2.
  • If a patch is not yet available, restrict all plugin‑related capabilities to the Administrator role in WordPress or remove any custom capabilities that grant broader access.
  • Disable the 6Storage Rentals plugin entirely if it is no longer needed for site functionality.
  • Review the site’s configuration to ensure that no plugin‑provided endpoints are publicly accessible and that role‑based access control is correctly enforced.

Generated by OpenCVE AI on May 1, 2026 at 11:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9836 Missing Authorization vulnerability in 6Storage 6Storage Rentals allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects 6Storage Rentals: from n/a through 2.18.0.
History

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in 6Storage 6Storage Rentals 6storage-rentals allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 6Storage Rentals: from n/a through <= 2.22.0. Missing Authorization vulnerability in 6Storage 6Storage Rentals 6storage-rentals allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 6Storage Rentals: from n/a through <= 2.20.2.
Title WordPress 6Storage Rentals plugin <= 2.22.0 - Broken Access Control vulnerability WordPress 6Storage Rentals plugin <= 2.20.2 - Broken Access Control vulnerability

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in 6Storage 6Storage Rentals 6storage-rentals allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 6Storage Rentals: from n/a through <= 2.20.2. Missing Authorization vulnerability in 6Storage 6Storage Rentals 6storage-rentals allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 6Storage Rentals: from n/a through <= 2.22.0.
Title WordPress 6Storage Rentals plugin <= 2.20.2 - Broken Access Control vulnerability WordPress 6Storage Rentals plugin <= 2.22.0 - Broken Access Control vulnerability
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in 6Storage 6Storage Rentals allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects 6Storage Rentals: from n/a through 2.18.0. Missing Authorization vulnerability in 6Storage 6Storage Rentals 6storage-rentals allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 6Storage Rentals: from n/a through <= 2.20.2.
Title WordPress 6Storage Rentals Plugin <= 2.18.0 - Broken Access Control vulnerability WordPress 6Storage Rentals plugin <= 2.20.2 - Broken Access Control vulnerability
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Fri, 04 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 04 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in 6Storage 6Storage Rentals allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects 6Storage Rentals: from n/a through 2.18.0.
Title WordPress 6Storage Rentals Plugin <= 2.18.0 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:03:52.956Z

Reserved: 2025-04-04T10:01:12.079Z

Link: CVE-2025-32178

cve-icon Vulnrichment

Updated: 2025-04-04T18:21:18.556Z

cve-icon NVD

Status : Deferred

Published: 2025-04-04T16:15:27.173

Modified: 2026-04-28T19:31:29.803

Link: CVE-2025-32178

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T11:15:15Z

Weaknesses