Description
Missing Authorization vulnerability in wpvsingh Site Notify site-notify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Site Notify: from n/a through <= 1.0.
Published: 2025-04-10
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Site Notify plugin for WordPress suffers from a missing authorization check, allowing attackers to bypass intended access restrictions. This broken access control flaw enables an unauthenticated or low‑privileged user to perform actions or view data that should be protected, potentially leading to data exposure or further compromise of the site. The flaw is categorized as CWE‑862, reflecting an improper authorization weakness.

Affected Systems

The vulnerability affects the Site Notify plugin from the wpvsingh vendor. Versions up to and including 1.0 are impacted; no newer version information is specified.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the current environment. The plugin is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is through the WordPress website interface, where an attacker could craft requests to plugin endpoints that lack proper role checks. No explicit exploit code is mentioned, but the missing authorization control allows an attacker to elevate privileges or access restricted content if the site exposes plugin URLs to unauthorized users.

Generated by OpenCVE AI on April 30, 2026 at 23:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Site Notify to a version newer than 1.0 as soon as an update is released.
  • If an upgrade is not feasible, disable the Site Notify plugin to remove the vulnerable code path.
  • Ensure that Site Notify is accessible only to administrator roles and review WordPress role capabilities to enforce proper authorization.

Generated by OpenCVE AI on April 30, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10453 Missing Authorization vulnerability in NotFound Site Notify allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Site Notify: from n/a through 1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in NotFound Site Notify allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Site Notify: from n/a through 1.0. Missing Authorization vulnerability in wpvsingh Site Notify site-notify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Site Notify: from n/a through <= 1.0.
Title WordPress Site Notify <= 1.0 - Broken Access Control Vulnerability WordPress Site Notify plugin <= 1.0 - Broken Access Control Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Thu, 10 Apr 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 10 Apr 2025 08:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in NotFound Site Notify allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Site Notify: from n/a through 1.0.
Title WordPress Site Notify <= 1.0 - Broken Access Control Vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:19.631Z

Reserved: 2025-04-04T10:01:59.469Z

Link: CVE-2025-32240

cve-icon Vulnrichment

Updated: 2025-04-10T16:03:49.433Z

cve-icon NVD

Status : Deferred

Published: 2025-04-10T08:15:19.920

Modified: 2026-04-23T15:28:49.043

Link: CVE-2025-32240

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T23:30:03Z

Weaknesses