CVE-2025-49950 - Vulnerability Details

- WordPress Official Integration for Billingo plugin <= 4.3.0 - Privilege Escalation vulnerability

Description

Missing Authorization vulnerability in billingo Official Integration for Billingo billingo allows Privilege Escalation.This issue affects Official Integration for Billingo: from n/a through <= 4.3.0.

Published: 2025-10-22

Score: 7.2 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Missing authorization checks in the WordPress Official Integration for Billingo plugin allow an authenticated user to elevate privileges. A user with basic access can exploit vulnerable endpoints or actions, gaining administrative rights to modify billing records, manage users, or alter financial data. The flaw is a classic missing privilege check (CWE‑862) and could lead to unauthorized manipulation of sensitive financial information.

Affected Systems

Vendors affected are Billingo for the Official Integration for Billingo plugin on WordPress. The vulnerability exists in all releases from the initial launch through version 4.3.0. No other product versions are impacted.

Risk and Exploitability

With a CVSS score of 7.2 and an EPSS of less than 1 %, the likelihood of exploitation is currently low, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the attack surface is remote via the WordPress web interface; an attacker who has authenticated as a normal user could manipulate privileges to reach administrative functionality. The potential consequences include full control over billing operations and disclosure of financial data. The risk remains moderate until a patch is applied.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

billingo

Official Integration for Billingo

unaffected

Version	Status	Constraints
`0`	affected	≤ 4.3.0

No data.

Vendor	Product	Confidence	Versions
Official Integration For Billingo Project	Official Integration For Billingo	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the plugin to the latest available version that addresses the missing authorization flaw (any release newer than 4.3.0).
Implement role‑based access controls in WordPress to restrict modification permissions to administrators only.
Monitor user roles and audit logs for unauthorized elevation events.

Generated by OpenCVE AI on April 30, 2026 at 14:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00019.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/billingo/vulnerability/wordpress-official-integration-for-billingo-plugin-4-2-5-privilege-escalation-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}`	cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Missing Authorization vulnerability in billingo Official Integration for Billingo billingo allows Privilege Escalation.This issue affects Official Integration for Billingo: from n/a through <= 4.2.5.	Missing Authorization vulnerability in billingo Official Integration for Billingo billingo allows Privilege Escalation.This issue affects Official Integration for Billingo: from n/a through <= 4.3.0.
Title	WordPress Official Integration for Billingo Plugin <= 4.2.5 - Privilege Escalation Vulnerability	WordPress Official Integration for Billingo plugin <= 4.3.0 - Privilege Escalation vulnerability

Tue, 20 Jan 2026 15:30:00 +0000

Type	Values Removed	Values Added
References	https://vdp.patchstack.com/database/Wordpress/Plugin/billingo/vulnerability/wordpress-official-integration-for-billingo-plugin-4-2-5-privilege-escalation-vulnerability?_s_id=cve

Tue, 20 Jan 2026 14:45:00 +0000

Type	Values Removed	Values Added
References		https://patchstack.com/database/Wordpress/Plugin/billingo/vulnerability/wordpress-official-integration-for-billingo-plugin-4-2-5-privilege-escalation-vulnerability?_s_id=cve

Thu, 13 Nov 2025 11:30:00 +0000

Type	Values Removed	Values Added
References	https://vdp.patchstack.com/database/Wordpress/Plugin/billingo/vulnerability/wordpress-official-integration-for-billingo-plugin-4-2-5-privilege-escalation-vulnerability

Thu, 13 Nov 2025 10:45:00 +0000

Type	Values Removed	Values Added
References		https://vdp.patchstack.com/database/Wordpress/Plugin/billingo/vulnerability/wordpress-official-integration-for-billingo-plugin-4-2-5-privilege-escalation-vulnerability?_s_id=cve

Thu, 23 Oct 2025 18:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}`

Thu, 23 Oct 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 23 Oct 2025 10:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Official Integration For Billingo Project Official Integration For Billingo Project official Integration For Billingo Wordpress Wordpress wordpress
Vendors & Products		Official Integration For Billingo Project Official Integration For Billingo Project official Integration For Billingo Wordpress Wordpress wordpress

Wed, 22 Oct 2025 14:45:00 +0000

Type	Values Removed	Values Added
Description		Missing Authorization vulnerability in billingo Official Integration for Billingo billingo allows Privilege Escalation.This issue affects Official Integration for Billingo: from n/a through <= 4.2.5.
Title		WordPress Official Integration for Billingo Plugin <= 4.2.5 - Privilege Escalation Vulnerability
Weaknesses		CWE-862
References		https://vdp.patchstack.com/database/Wordpress/Plugin/billingo/vulnerability/wordpress-official-integration-for-billingo-plugin-4-2-5-privilege-escalation-vulnerability

Subscriptions

Official Integration For Billingo Project Official Integration For Billingo

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-10-22T14:32:18.932Z

Updated: 2026-04-28T16:13:08.830Z

Reserved: 2025-06-11T16:07:27.325Z

Link: CVE-2025-49950

Vulnrichment

Updated: 2025-10-23T14:31:32.927Z

NVD

Status : Deferred

Published: 2025-10-22T15:15:41.373

Modified: 2026-04-27T20:16:18.920

Link: CVE-2025-49950

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-30T15:00:14Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object