Description
Missing Authorization vulnerability in aDirectory aDirectory adirectory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects aDirectory: from n/a through <= 3.0.3.
Published: 2026-02-20
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Patch Now
AI Analysis

Impact

This vulnerability stems from a missing authorization check in the aDirectory plugin, allowing users to perform actions without proper permission validation. An attacker who can exploit this flaw may read or modify content that should be restricted, leading to unauthorized disclosure or tampering. The weakness corresponds to CWE‑862, an access control issue that can undermine confidentiality and integrity of protected resources.

Affected Systems

The aDirectory plugin for WordPress is affected. Any installation using version 3.0.3 or earlier is vulnerable, regardless of the host WordPress version.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. With an EPSS score of less than 1%, the probability of exploitation appears low, and the flaw is not listed in CISA's KEV catalog. The attack is likely carried out through the plugin’s web interface, where improper checks allow unauthorized access to privileged actions.

Generated by OpenCVE AI on April 27, 2026 at 20:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the aDirectory plugin to the latest version (3.0.4 or later) to eliminate the missing authorization checks.
  • Ensure that only administrator accounts are granted permissions to perform privileged actions in the plugin’s configuration.
  • If the plugin is not required, disable or remove it from the WordPress installation.

Generated by OpenCVE AI on April 27, 2026 at 20:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Wed, 25 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Adirectory
Adirectory adirectory
Wordpress
Wordpress wordpress
Vendors & Products Adirectory
Adirectory adirectory
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in aDirectory aDirectory adirectory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects aDirectory: from n/a through <= 3.0.3.
Title WordPress aDirectory plugin <= 3.0.3 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Adirectory Adirectory
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:25.021Z

Reserved: 2025-12-15T10:00:28.857Z

Link: CVE-2025-67975

cve-icon Vulnrichment

Updated: 2026-02-25T20:54:55.684Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:03.810

Modified: 2026-04-27T18:16:52.247

Link: CVE-2025-67975

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T21:00:13Z

Weaknesses