Description
Missing Authorization vulnerability in contentstudio Contentstudio contentstudio allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Contentstudio: from n/a through <= 1.3.7.
Published: 2025-06-20
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Missing authorization in the ContentStudio plugin allows attackers to call backend functions that are not properly protected by access control lists. This flaw can lead to unauthorized operations such as retrieving restricted data, modifying settings, or executing arbitrary actions that should be reserved for privileged users. The weakness is categorized as CWE‑862, reflecting an improper validation of permissions. Consequently, an attacker who can reach the plugin’s endpoints may compromise the confidentiality, integrity, or availability of the WordPress site.

Affected Systems

The affected product is the WordPress ContentStudio plugin distributed by Contentstudio. Versions from the initial release up through 1.3.7 are affected. Users running any of those releases are vulnerable unless additional configuration limits the exposed endpoints.

Risk and Exploitability

With a CVSS score of 5.3, the vulnerability is considered medium severity. The EPSS score of less than 1% indicates a low probability of exploitation in the wild, and it is not currently listed in the CISA KEV catalog. Attackers can exploit the flaw by making HTTP requests directly to the plugin’s privileged endpoints, bypassing the standard role checks. The vulnerability could be leveraged by users who do not have administrative privileges, depending on the plugin’s internal permissions.

Generated by OpenCVE AI on April 30, 2026 at 10:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ContentStudio plugin to a version newer than 1.3.7.
  • Verify that role‑based restrictions on the plugin’s functions are correctly applied.
  • Restrict access to the plugin’s administrative URLs by configuring .htaccess rules or a web‑application firewall.
  • Disable or delete the plugin if it is not required for site operation.

Generated by OpenCVE AI on April 30, 2026 at 10:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28343 Missing Authorization vulnerability in contentstudio ContentStudio allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects ContentStudio: from n/a through 1.3.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in contentstudio ContentStudio allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects ContentStudio: from n/a through 1.3.4. Missing Authorization vulnerability in contentstudio Contentstudio contentstudio allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Contentstudio: from n/a through <= 1.3.7.
Title WordPress ContentStudio plugin <= 1.3.4 - Broken Access Control Vulnerability WordPress ContentStudio plugin <= 1.3.7 - Broken Access Control vulnerability
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Mon, 23 Jun 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in contentstudio ContentStudio allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects ContentStudio: from n/a through 1.3.4.
Title WordPress ContentStudio plugin <= 1.3.4 - Broken Access Control Vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:14.946Z

Reserved: 2025-06-11T16:07:56.073Z

Link: CVE-2025-49990

cve-icon Vulnrichment

Updated: 2025-06-23T17:15:27.166Z

cve-icon NVD

Status : Deferred

Published: 2025-06-20T15:15:25.170

Modified: 2026-04-23T15:31:56.177

Link: CVE-2025-49990

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T11:00:15Z

Weaknesses