Description
Missing Authorization vulnerability in vgwort VG WORT METIS vgw-metis allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VG WORT METIS: from n/a through <= 2.0.1.
Published: 2025-07-04
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The problem is a missing authorization flaw (CWE‑862) that allows an attacker to bypass the access controls configured in the VG WORT METIS plugin. An attacker who can reach the plugin’s HTTP endpoints may gain unauthorized access to administrative functions, modify or delete plugin data, or elevate privileges within the WordPress site. The flaw does not provide code‑execution capabilities; its impact is limited to unauthorized data manipulation or privilege escalation.

Affected Systems

WordPress sites that run any version of the VG WORT METIS plugin from the original release up through 2.0.1 are affected. The vulnerability applies specifically to the vgwort:VG WORT METIS product line, with the impacted range indicated as n/a through <=2.0.1.

Risk and Exploitability

The CVSS score of 6.5 marks the issue as moderately severe, while the EPSS score of <1% suggests a relatively low probability of exploitation, though not impossible. The vulnerability is not listed in the CISA KEV catalog. Attackers would most likely exploit the flaw by sending crafted HTTP requests to plugin endpoints, leveraging the fact that the plugin fails to enforce proper authorization checks. Both authenticated and unauthenticated users could potentially use the flaw if they can infer or guess valid URLs; however, the extent of damage depends on the plugin’s integration with WordPress core capabilities.

Generated by OpenCVE AI on April 30, 2026 at 09:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the VG WORT METIS plugin to the latest version (v2.0.2 or later) to eliminate the missing authorization check.
  • Restrict access to the plugin’s API routes by configuring the web server or firewall to allow only trusted sources, or enforce authentication on those routes.
  • Review WordPress user roles and capabilities to ensure that only legitimate administrators retain the privileges required to perform sensitive plugin actions.
  • Monitor access logs for unusual requests to the plugin’s endpoints and flag any unauthorized attempts for further investigation.

Generated by OpenCVE AI on April 30, 2026 at 09:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19993 Missing Authorization vulnerability in vgwort VG WORT METIS allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects VG WORT METIS: from n/a through 2.0.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in vgwort VG WORT METIS allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects VG WORT METIS: from n/a through 2.0.0. Missing Authorization vulnerability in vgwort VG WORT METIS vgw-metis allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VG WORT METIS: from n/a through <= 2.0.1.
Title WordPress VG WORT METIS <= 2.0.0 - Broken Access Control Vulnerability WordPress VG WORT METIS plugin <= 2.0.1 - Broken Access Control Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Mon, 07 Jul 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 04 Jul 2025 11:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in vgwort VG WORT METIS allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects VG WORT METIS: from n/a through 2.0.0.
Title WordPress VG WORT METIS <= 2.0.0 - Broken Access Control Vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:16.901Z

Reserved: 2025-06-11T16:08:41.943Z

Link: CVE-2025-50039

cve-icon Vulnrichment

Updated: 2025-07-07T16:25:15.316Z

cve-icon NVD

Status : Deferred

Published: 2025-07-04T12:15:33.017

Modified: 2026-04-23T15:32:01.737

Link: CVE-2025-50039

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T10:00:16Z

Weaknesses