Description
Missing Authorization vulnerability in XLPlugins NextMove Lite woo-thank-you-page-nextmove-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects NextMove Lite: from n/a through <= 2.23.0.
Published: 2026-02-20
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated privileged access via broken access control
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a missing authorization check in the NextMove Lite plugin, which permits users to invoke privileged functions without proper authentication. This can lead to unauthorized modifications or data exposure within the WordPress site. According to the CWE reference, it is a classic case of Broken Access Control (CWE-862). No denial‑of‑service effect is reported.

Affected Systems

The flaw is present in all releases of XLPlugins NextMove Lite up through version 2.23.0, including earlier snapshots. WordPress sites that have the NextMove Lite plugin installed within that version range are affected.

Risk and Exploitability

The CVSS score of 7.5 signals a high severity. The EPSS score of less than 1% indicates a low likelihood of widespread exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. The most likely attack path, as suggested by the description, involves a web request to one of the plugin’s endpoints that bypasses normal WordPress permission checks. It is inferred that the attacker may need some level of WordPress access to exploit the vulnerability, but the CVE description does not explicitly state the required privileges or exact attack vector.

Generated by OpenCVE AI on April 28, 2026 at 09:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest update of NextMove Lite (version 2.24.0 or later) to remove the broken access control check.
  • If an immediate update is not feasible, temporarily disable the plugin or delete it from the WordPress installation to prevent exploitation.
  • Enforce strict WordPress role permissions so that only administrators can access the plugin’s configuration and action endpoints.
  • Audit the site for any credentials leaked via the plugin’s exposed endpoints and replace them as necessary.
  • Monitor WordPress logs for unexpected accesses to the plugin’s URLs and block offenders if detected.

Generated by OpenCVE AI on April 28, 2026 at 09:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Xlplugins
Xlplugins nextmove
Vendors & Products Wordpress
Wordpress wordpress
Xlplugins
Xlplugins nextmove

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in XLPlugins NextMove Lite woo-thank-you-page-nextmove-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects NextMove Lite: from n/a through <= 2.23.0.
Title WordPress NextMove Lite plugin <= 2.23.0 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
Xlplugins Nextmove
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:57:08.170Z

Reserved: 2025-12-15T10:01:07.754Z

Link: CVE-2025-68048

cve-icon Vulnrichment

Updated: 2026-02-25T18:59:10.500Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:08.750

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-68048

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T09:45:28Z

Weaknesses