Description
Missing Authorization vulnerability in Malcure Web Security Malcure Malware Scanner wp-malware-removal allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Malcure Malware Scanner: from n/a through <= 16.8.
Published: 2025-09-03
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Malcure Malware Scanner plugin for WordPress suffers a missing authorization flaw that lets attackers bypass intended access restrictions. This flaw stems from incorrectly configured access control security levels and is captured by CWE‑862. An attacker could manipulate or retrieve plugin data without proper privileges, which may lead to unauthorized modifications or data exposure.

Affected Systems

The affected product is the Malcure Web Security Malcure Malware Scanner WordPress plugin, versions up through 16.8. Older releases lack a fix.

Risk and Exploitability

The CVSS score of 4.3 marks the vulnerability as low severity, and the EPSS score of less than 1% indicates a very small chance of exploitation. It is not listed in the CISA KEV catalog. Likely attack vectors involve remote interaction with the plugin’s administrative endpoints, and the flaw could be exploited by any user with access to the WordPress dashboard or possibly by unauthenticated visitors, depending on the configuration. Exploits would require no additional software but rely on the improper access checks.

Generated by OpenCVE AI on April 30, 2026 at 15:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Malcure Malware Scanner to version 16.9 or later to apply the vendor patch.
  • If an update is unavailable, disable the plugin to prevent exposure.
  • Review WordPress role‑based access control settings to restrict who can use malware scanning functions.
  • Monitor site activity logs for suspicious changes to the plugin or its configuration.

Generated by OpenCVE AI on April 30, 2026 at 15:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26498 Missing Authorization vulnerability in Malcure Web Security Malcure Malware Scanner allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Malcure Malware Scanner: from n/a through 16.8.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Malcure Web Security Malcure Malware Scanner allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Malcure Malware Scanner: from n/a through 16.8. Missing Authorization vulnerability in Malcure Web Security Malcure Malware Scanner wp-malware-removal allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Malcure Malware Scanner: from n/a through <= 16.8.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Thu, 04 Sep 2025 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 03 Sep 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Sep 2025 13:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Malcure Web Security Malcure Malware Scanner allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Malcure Malware Scanner: from n/a through 16.8.
Title WordPress Malcure Malware Scanner plugin <= 16.8 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:29.054Z

Reserved: 2025-04-16T06:27:18.959Z

Link: CVE-2025-3701

cve-icon Vulnrichment

Updated: 2025-09-03T13:15:19.655Z

cve-icon NVD

Status : Deferred

Published: 2025-09-03T13:15:49.063

Modified: 2026-04-23T15:29:52.367

Link: CVE-2025-3701

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T15:30:16Z

Weaknesses