Description
Missing Authorization vulnerability in Zapier Zapier for WordPress zapier allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Zapier for WordPress: from n/a through <= 1.5.2.
Published: 2025-06-20
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization flaw in the Zapier for WordPress plugin, allowing attackers to invoke protected functions without proper access checks. This could enable unauthorized users to trigger Zapier workflows, create or manipulate data, or perform other privileged actions, leading to potential disclosure, modification, or denial of service to the WordPress site. The weakness is classified as CWE-862, Missing Authorization, indicating that the plugin fails to enforce role-based access controls for certain endpoints.

Affected Systems

Zapier for WordPress plugin versions through 1.5.2 are affected, including all earlier releases. The issue applies to any WordPress installation that has the plugin installed at or below 1.5.2, regardless of the WordPress core version.

Risk and Exploitability

The CVSS score of 5.4 reflects a moderate impact, but the EPSS score of less than 1% suggests very low exploitation probability. The vulnerability is not listed in CISA's KEV catalog. The most likely attack vector is an authenticated WordPress user exploiting the plugin's insufficient checks; it does not appear to be exploitable by unauthenticated external actors based on the provided description.

Generated by OpenCVE AI on April 30, 2026 at 10:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Zapier for WordPress to version 1.5.3 or later which removes the missing authorization checks.
  • If an immediate upgrade is not feasible, restrict the plugin’s protected endpoints to users with the Administrator role, either by configuring role permissions or adding custom code to enforce the restriction.
  • When the plugin cannot be updated or restricted, uninstall or disable the Zapier for WordPress plugin until the vendor releases a fix, as a temporary mitigation to prevent the exposed functionality from being used.

Generated by OpenCVE AI on April 30, 2026 at 10:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28348 Missing Authorization vulnerability in Zapier Zapier for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Zapier for WordPress: from n/a through 1.5.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Zapier Zapier for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Zapier for WordPress: from n/a through 1.5.2. Missing Authorization vulnerability in Zapier Zapier for WordPress zapier allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Zapier for WordPress: from n/a through <= 1.5.2.
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Mon, 23 Jun 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Zapier Zapier for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Zapier for WordPress: from n/a through 1.5.2.
Title WordPress Zapier for WordPress plugin <= 1.5.2 - Broken Access Control Vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:15.874Z

Reserved: 2025-06-11T16:08:11.573Z

Link: CVE-2025-50010

cve-icon Vulnrichment

Updated: 2025-06-23T16:10:44.874Z

cve-icon NVD

Status : Deferred

Published: 2025-06-20T15:15:26.507

Modified: 2026-04-23T15:31:58.443

Link: CVE-2025-50010

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T11:00:15Z

Weaknesses