Description
Missing Authorization vulnerability in aleswebs AdMail – Multilingual Back in-Stock Notifier for WooCommerce admail allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AdMail – Multilingual Back in-Stock Notifier for WooCommerce: from n/a through <= 1.7.0.
Published: 2025-04-04
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization flaw in the WordPress AdMail plugin that allows attackers to bypass the plugin’s configured security levels. This broken access control enables an unauthorized user to access privileged functions within the plugin, potentially modifying notifications, viewing sensitive data, or initiating actions that should be limited to administrators. The weakness is classified as CWE-862: Missing Authorization.

Affected Systems

The affected product is the aleswebs AdMail – Multilingual Back in-Stock Notifier for WooCommerce plugin. All versions from the earliest available through version 1.7.0 are vulnerable. Users running any of these versions on WordPress sites remain exposed until they upgrade beyond 1.7.0.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1% reflects a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that exploitation requires the attacker to send crafted requests to the plugin’s endpoints; the likely attack vector is remote via the web interface and does not require prior authentication.

Generated by OpenCVE AI on May 1, 2026 at 11:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the AdMail plugin to a version newer than 1.7.0 as soon as possible.
  • If an immediate update is not feasible, temporarily disable or uninstall the plugin to prevent exploitation.
  • Restrict WordPress role permissions so that only trusted administrators can manage the plugin’s notification functions, limiting the impact of any undisclosed weaknesses.

Generated by OpenCVE AI on May 1, 2026 at 11:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9809 Missing Authorization vulnerability in aleswebs AdMail – Multilingual Back in-Stock Notifier for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects AdMail – Multilingual Back in-Stock Notifier for WooCommerce: from n/a through 1.7.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in aleswebs AdMail – Multilingual Back in-Stock Notifier for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects AdMail – Multilingual Back in-Stock Notifier for WooCommerce: from n/a through 1.7.0. Missing Authorization vulnerability in aleswebs AdMail – Multilingual Back in-Stock Notifier for WooCommerce admail allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AdMail – Multilingual Back in-Stock Notifier for WooCommerce: from n/a through <= 1.7.0.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Fri, 04 Apr 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 04 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in aleswebs AdMail – Multilingual Back in-Stock Notifier for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects AdMail – Multilingual Back in-Stock Notifier for WooCommerce: from n/a through 1.7.0.
Title WordPress AdMail plugin <= 1.7.0 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:19.508Z

Reserved: 2025-04-04T10:01:59.468Z

Link: CVE-2025-32234

cve-icon Vulnrichment

Updated: 2025-04-04T19:52:27.186Z

cve-icon NVD

Status : Deferred

Published: 2025-04-04T16:15:32.760

Modified: 2026-04-23T15:28:48.330

Link: CVE-2025-32234

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T11:15:15Z

Weaknesses