Description
Missing Authorization vulnerability in Syed Balkhi Giveaways and Contests by RafflePress rafflepress allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Giveaways and Contests by RafflePress: from n/a through <= 1.12.18.
Published: 2025-06-20
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Missing authorization flaw in the Giveaways and Contests by RafflePress WordPress plugin permits users to invoke protected functionality without proper access control. The flaw allows an attacker to access or manipulate plugin features that should be limited to privileged users, potentially leading to unauthorized data exposure or modification. This issue is grouped under CWE-862 for missing authorization problems.

Affected Systems

The vulnerability affects the Giveaways and Contests by RafflePress plugin from Syed Balkhi, for all versions up to and including 1.12.18. Site owners running any of these versions on WordPress are exposed.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity with a moderate impact on confidentiality and integrity. The EPSS score of less than 1% suggests a low probability that the flaw is currently being exploited in the wild, and the vulnerability is not listed in CISA's KEV catalog. Exploitation would likely occur via a web-based attack vector, where an attacker submits crafted requests to the plugin's endpoints to bypass ACL checks. Since the flaw can be triggered remotely by submitting requests that are not properly authenticated, the risk remains present until patched.

Generated by OpenCVE AI on April 30, 2026 at 10:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Giveaways and Contests by RafflePress plugin to a version newer than 1.12.18.
  • If immediate upgrade is not possible, restrict access to the plugin's administrative endpoints by limiting them to administrator-level users or disabling them through WordPress settings.
  • Disable the Giveaways and Contests by RafflePress plugin entirely until a secure version is applied.

Generated by OpenCVE AI on April 30, 2026 at 10:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-18901 Missing Authorization vulnerability in Syed Balkhi Giveaways and Contests by RafflePress allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Giveaways and Contests by RafflePress: from n/a through 1.12.17.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Syed Balkhi Giveaways and Contests by RafflePress allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Giveaways and Contests by RafflePress: from n/a through 1.12.17. Missing Authorization vulnerability in Syed Balkhi Giveaways and Contests by RafflePress rafflepress allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Giveaways and Contests by RafflePress: from n/a through <= 1.12.18.
Title WordPress Giveaways and Contests by RafflePress plugin <= 1.12.17 - Broken Access Control Vulnerability WordPress Giveaways and Contests by RafflePress plugin <= 1.12.18 - Broken Access Control + CSRF Vulnerability
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Mon, 23 Jun 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Syed Balkhi Giveaways and Contests by RafflePress allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Giveaways and Contests by RafflePress: from n/a through 1.12.17.
Title WordPress Giveaways and Contests by RafflePress plugin <= 1.12.17 - Broken Access Control Vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:15.170Z

Reserved: 2025-06-11T16:08:03.195Z

Link: CVE-2025-49997

cve-icon Vulnrichment

Updated: 2025-06-23T15:30:54.800Z

cve-icon NVD

Status : Deferred

Published: 2025-06-20T15:15:25.917

Modified: 2026-04-23T15:31:56.873

Link: CVE-2025-49997

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T11:00:15Z

Weaknesses