Description
Missing Authorization vulnerability in The African Boss Get Cash get-cash allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Get Cash: from n/a through <= 3.2.3.
Published: 2025-12-18
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization flaw that permits attackers to bypass the plugin’s internal access checks and reach protected actions. When the Get Cash plugin is installed with any version 3.2.3 or earlier, requests that should be restricted can be generated by an unauthenticated or low‑privileged user. Because the plugin handles monetary or personal data, exposure can lead to disclosure or modification of sensitive values.

Affected Systems

All WordPress sites that have the African Boss Get Cash plugin installed with a version number less than or equal to 3.2.3. The plugin is part of the African Boss product line, specifically the Get Cash component. No specific patch version is listed, so the recommendation is to upgrade beyond 3.2.3 or apply the vendor’s fix if available.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, and the EPSS score is less than 1%, suggesting the likelihood of exploitation is currently low. The vulnerability is not listed in the CISA KEV catalog. However, a remote attacker could send crafted HTTP requests that exploit the missing authorization and potentially read or alter financial data. Because the plugin is web‑exposed, the attack vector is likely remote. Organizations should treat this as moderate risk until patched and monitor exploit activity.

Generated by OpenCVE AI on April 30, 2026 at 04:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Get Cash plugin to the latest version that contains the authorization fix.
  • If an update is not immediately available, restrict access to the plugin’s URLs by configuring WordPress role permissions or using a firewall rule to block unauthenticated requests.
  • Maintain a disciplined update policy for WordPress core and all plugins, and enable monitoring for abnormal access to plugin endpoints.

Generated by OpenCVE AI on April 30, 2026 at 04:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in The African Boss Get Cash get-cash allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Get Cash: from n/a through <= 3.2.3.
Title WordPress Get Cash plugin <= 3.2.3 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:58.038Z

Reserved: 2025-05-30T14:04:26.750Z

Link: CVE-2025-49041

cve-icon Vulnrichment

Updated: 2025-12-18T19:06:10.821Z

cve-icon NVD

Status : Deferred

Published: 2025-12-18T08:15:49.837

Modified: 2026-04-27T20:16:08.060

Link: CVE-2025-49041

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T05:00:14Z

Weaknesses