CVE-2025-4654 - Vulnerability Details

- Soumettre.fr <= 2.1.5 - Improper Authorization to Unauthenticated Soumettre Posts Creation/Modification/Deletion

Description

The Soumettre.fr plugin for WordPress is vulnerable to unauthorized access and modification of data due to a improper authorization checks on the make_signature function in all versions up to, and including, 2.1.5. This makes it possible for unauthenticated attackers to create/edit/delete Soumettre posts. This vulnerability affects only installations where the soumettre account is not connected (i.e. API key is not installed)

Published: 2025-07-02

Score: 3.7 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Soumettre.fr plugin for WordPress contains an improper authorization check in its make_signature function, allowing an attacker to create, edit, or delete Soumettre posts without authentication. This access control failure (CWE-285) results in unauthorized manipulation of content, potentially compromising the integrity of the site and exposing sensitive information.

Affected Systems

WordPress installations running Soumettre.fr version 2.1.5 or earlier, specifically when the Soumettre account is not connected via an API key.

Risk and Exploitability

The vulnerability has a CVSS score of 3.7, indicating low severity. Its EPSS score is below 1%, suggesting a very low probability of exploitation in the wild. It is not listed in the CISA KEV catalog. The attack vector is inferred to be unauthenticated access via the plugin’s REST API endpoints, where the lack of proper authorization allows attackers to perform post actions.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

soumettre

Soumettre.fr

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.1.5

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Soumettre.fr to the latest available version where the authorization check has been fixed
If an update cannot be applied immediately, remove or disable the plugin, or disable API key connectivity to prevent unauthorized operations
Audit the WordPress REST API configuration to ensure that all endpoints for Soumettre posts require proper authentication before allowing creation, editing, or deletion

Generated by OpenCVE AI on April 21, 2026 at 19:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-19681	The Soumettre.fr plugin for WordPress is vulnerable to unauthorized access and modification of data due to a improper authorization checks on the make_signature function in all versions up to, and including, 2.1.5. This makes it possible for unauthenticated attackers to create/edit/delete Soumettre posts. This vulnerability affects only installations where the soumettre account is not connected (i.e. API key is not installed)

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0013.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/soumettre-fr/tags/2.1.5/public/rest/class-soumettre-rest-route.php#L211
https://www.wordfence.com/threat-intel/vulnerabilities/id/4f29d476-0730-437c-8065-309523278efa?source=cve

History

Wed, 02 Jul 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 02 Jul 2025 04:00:00 +0000

Type	Values Removed	Values Added
Description		The Soumettre.fr plugin for WordPress is vulnerable to unauthorized access and modification of data due to a improper authorization checks on the make_signature function in all versions up to, and including, 2.1.5. This makes it possible for unauthenticated attackers to create/edit/delete Soumettre posts. This vulnerability affects only installations where the soumettre account is not connected (i.e. API key is not installed)
Title		Soumettre.fr <= 2.1.5 - Improper Authorization to Unauthenticated Soumettre Posts Creation/Modification/Deletion
Weaknesses		CWE-285
References		https://plugins.trac.wordpress.org/browser/soumettre-fr/tags/2.1.5/public/rest/class-soumettre-rest-route.php#L211 https://www.wordfence.com/threat-intel/vulnerabilities/id/4f29d476-0730-437c-8065-309523278efa?source=cve
Metrics		cvssV3_1 `{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-07-02T03:47:24.306Z

Updated: 2026-04-08T16:51:58.194Z

Reserved: 2025-05-13T13:51:31.166Z

Link: CVE-2025-4654

Vulnrichment

Updated: 2025-07-02T13:05:23.430Z

NVD

Status : Deferred

Published: 2025-07-02T04:15:54.673

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-4654

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T20:00:25Z

Weaknesses

CWE-285

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object