Description
Missing Authorization vulnerability in WPXPO WowRevenue revenue.This issue affects WowRevenue: from n/a through <= 1.2.13.
Published: 2025-10-22
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing authorization check in the WPXPO WowRevenue WordPress plugin allows an attacker to access or modify revenue information without proper authentication. This broken access control flaw is classified as CWE-862 and can compromise the confidentiality and integrity of financial data. The vulnerability is limited to the plugin’s internal data handling and does not induce arbitrary code execution or denial of service.

Affected Systems

Any WordPress site that is running the WPXPO WowRevenue plugin version 1.2.13 or earlier. The plugin version range is from the earliest release up to and including 1.2.13.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity, while the EPSS score of less than 1% suggests that the likelihood of exploitation is currently very low. The vulnerability is not listed in the CISA KEV catalog, so there is no evidence of widespread exploitation reports. Based on the description, the likely attack vector is a remote HTTP request to one of the plugin’s endpoints that bypasses the normal authorization mechanism. No additional prerequisites are mentioned, and the flaw appears to be exploitable by authenticated users with sufficient privileges or by unauthenticated users that can reach the endpoint.

Generated by OpenCVE AI on April 30, 2026 at 05:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WPXPO WowRevenue plugin to the latest available version, which contains the missing authorization fix
  • Restrict access to the plugin’s administrative pages by applying role‑based permissions or a web‑application firewall rule
  • Review WordPress user roles and security policies to ensure no user has unnecessary administrative privileges that could be leveraged

Generated by OpenCVE AI on April 30, 2026 at 05:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in WPXPO WowRevenue revenue.This issue affects WowRevenue: from n/a through <= 1.2.13.
Title WordPress WowRevenue plugin <= 1.2.13 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:00.829Z

Reserved: 2025-10-07T15:34:44.825Z

Link: CVE-2025-62070

cve-icon Vulnrichment

Updated: 2025-10-23T14:08:18.038Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:16:05.853

Modified: 2026-04-27T18:16:25.377

Link: CVE-2025-62070

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T05:30:06Z

Weaknesses