CVE-2025-32210 - Vulnerability Details

- WordPress CM Registration and Invitation Codes plugin <= 2.5.6 - Broken Access Control vulnerability

Description

Missing Authorization vulnerability in CreativeMindsSolutions CM Registration and Invitation Codes cm-invitation-codes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CM Registration and Invitation Codes: from n/a through <= 2.5.6.

Published: 2025-04-10

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The CVE describes a missing authorization flaw in the CreativeMindsSolutions CM Registration and Invitation Codes plugin for WordPress. The plugin fails to enforce proper access checks, allowing users who should be denied to perform privileged actions such as creating, editing, or deleting registration and invitation codes. This compromise could affect confidentiality, integrity, and availability of the website by enabling unauthorized data manipulation or credential exposure.

Affected Systems

The affected product is the WordPress plugin CM Registration and Invitation Codes from CreativeMindsSolutions. All releases up to and including version 2.5.6 are impacted. Users running these versions should upgrade the plugin to a fixed release before it can be exposed to potential exploitation.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while an EPSS score of less than 1% shows a very low proof‑of‑concept exploitation probability. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is web‑based, targeting the plugin administrative interface; it does not require privileged authentication beyond the role that can access the plugin pages. No additional conditions are explicitly stated, so the flaw can be used by any user who can reach the vulnerable backend pages if the security settings are incorrect.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

CreativeMindsSolutions

CM Registration and Invitation Codes

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.5.6

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update CM Registration and Invitation Codes plugin to the latest version (≥ 2.5.7) or any release that contains the access‑control fix.
Verify that only appropriate WordPress roles (e.g., Administrator) have capability to manage registration and invitation codes, and remove or restrict the capability for lower‑privileged roles.
Inspect the plugin’s configuration and the site’s security plugin settings to ensure that any custom access‑control rules correctly limit access to the plugin’s administrative features.

Generated by OpenCVE AI on April 30, 2026 at 23:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-10448	Missing Authorization vulnerability in CreativeMindsSolutions CM Registration and Invitation Codes allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CM Registration and Invitation Codes: from n/a through 2.5.2.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00128.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/cm-invitation-codes/vulnerability/wordpress-cm-registration-and-invitation-codes-plugin-2-5-2-broken-access-control-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Missing Authorization vulnerability in CreativeMindsSolutions CM Registration and Invitation Codes allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CM Registration and Invitation Codes: from n/a through 2.5.2.	Missing Authorization vulnerability in CreativeMindsSolutions CM Registration and Invitation Codes cm-invitation-codes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CM Registration and Invitation Codes: from n/a through <= 2.5.6.
Title	WordPress CM Registration and Invitation Codes plugin <= 2.5.2 - Broken Access Control vulnerability	WordPress CM Registration and Invitation Codes plugin <= 2.5.6 - Broken Access Control vulnerability
References	https://patchstack.com/database/wordpress/plugin/cm-invitation-codes/vulnerability/wordpress-cm-registration-and-invitation-codes-plugin-2-5-2-broken-access-control-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Plugin/cm-invitation-codes/vulnerability/wordpress-cm-registration-and-invitation-codes-plugin-2-5-2-broken-access-control-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}`

Thu, 10 Apr 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 10 Apr 2025 08:15:00 +0000

Type	Values Removed	Values Added
Description		Missing Authorization vulnerability in CreativeMindsSolutions CM Registration and Invitation Codes allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CM Registration and Invitation Codes: from n/a through 2.5.2.
Title		WordPress CM Registration and Invitation Codes plugin <= 2.5.2 - Broken Access Control vulnerability
Weaknesses		CWE-862
References		https://patchstack.com/database/wordpress/plugin/cm-invitation-codes/vulnerability/wordpress-cm-registration-and-invitation-codes-plugin-2-5-2-broken-access-control-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-04-10T08:09:44.744Z

Updated: 2026-04-28T16:12:19.073Z

Reserved: 2025-04-04T10:01:35.761Z

Link: CVE-2025-32210

Vulnrichment

Updated: 2025-04-10T19:26:14.206Z

NVD

Status : Deferred

Published: 2025-04-10T08:15:18.143

Modified: 2026-04-23T15:28:45.740

Link: CVE-2025-32210

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-30T23:30:03Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object