Description
Missing Authorization vulnerability in Rhys Wynne WP Email Capture wp-email-capture allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Email Capture: from n/a through <= 3.12.4.
Published: 2025-12-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP Email Capture plugin has a missing authorization flaw that allows users to exploit incorrectly configured access control security levels. Attackers can access information or functionality that should be restricted to higher-privilege users, potentially exposing stored email addresses and related data. This issue does not provide remote code execution or denial‑of‑service but enables data disclosure and unauthorized use of the plugin's features.

Affected Systems

WordPress environments running Rhys Wynne’s WP Email Capture plugin with versions from any initial release up through 3.12.4 are affected.

Risk and Exploitability

The flaw has a CVSS score of 5.3, indicating moderate severity, and an EPSS score of less than 1%, suggesting a low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. An attacker would likely need to interact with the web interface or make authenticated requests to the plugin’s endpoints, exploiting the lack of proper role verification. While the attack surface is limited to web requests, the impact of unauthorized data exposure can be significant for sites collecting user emails.

Generated by OpenCVE AI on April 29, 2026 at 19:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WP Email Capture to the latest available version (greater than 3.12.4).
  • If an immediate update is not possible, configure WordPress role and capability settings to restrict the plugin’s functionality to administrators only, or disable the plugin’s endpoints using a security plugin or server firewall.
  • Monitor site logs for anomalous access patterns or attempts to use the plugin’s endpoints and enforce rate limits on those requests.

Generated by OpenCVE AI on April 29, 2026 at 19:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Wed, 10 Dec 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Rhys Wynne
Rhys Wynne wp Email Capture
Wordpress
Wordpress wordpress
Vendors & Products Rhys Wynne
Rhys Wynne wp Email Capture
Wordpress
Wordpress wordpress

Tue, 09 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Dec 2025 14:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Rhys Wynne WP Email Capture wp-email-capture allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Email Capture: from n/a through <= 3.12.4.
Title WordPress WP Email Capture plugin <= 3.12.4 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Rhys Wynne Wp Email Capture
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:21.978Z

Reserved: 2025-12-09T12:21:34.120Z

Link: CVE-2025-67578

cve-icon Vulnrichment

Updated: 2025-12-09T15:04:14.653Z

cve-icon NVD

Status : Deferred

Published: 2025-12-09T16:18:35.267

Modified: 2026-04-27T18:16:44.193

Link: CVE-2025-67578

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T19:45:18Z

Weaknesses