Description
Missing Authorization vulnerability in e-plugins Institutions Directory institutions-directory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Institutions Directory: from n/a through <= 1.3..4.
Published: 2026-01-22
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Broken Access Control
Action: Patch
AI Analysis

Impact

The flaw is a missing authorization vulnerability that allows an attacker to exploit incorrectly configured access control security levels. This deficiency, classified as CWE-862, lets unauthenticated or low‑privilege users perform actions reserved for higher‑privileged roles, potentially modifying or deleting data and compromising the integrity and availability of the affected system.

Affected Systems

The issue affects e‑plugins Institutions Directory plugin from unspecified minimum versions up through 1.3.4. Based on the plugin’s name and typical usage, it is inferred that this plugin operates within a WordPress site, so administrators should verify that any installations of the plugin in that version range are affected.

Risk and Exploitability

With a CVSS score of 7.6, the vulnerability is considered high severity. The EPSS score of < 1% indicates that exploitation is currently uncommon, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is via HTTP requests to the plugin’s endpoints, and it would require bypassing normal WordPress authentication controls. Attackers could then elevate privileges within the plugin’s scope to perform unauthorized actions.

Generated by OpenCVE AI on April 28, 2026 at 09:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Institutions Directory plugin to version 1.3.5 or later.
  • If an upgrade is not immediately possible, disable or uninstall the plugin to eliminate the attack surface.
  • Ensure that any custom code or integrations enforce role‑based access checks consistent with WordPress’s capabilities before invoking plugin functionality.

Generated by OpenCVE AI on April 28, 2026 at 09:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L'}

 cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L'}

Wed, 28 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 28 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared E-plugins
E-plugins institutions Directory
Wordpress
Wordpress wordpress
Vendors & Products E-plugins
E-plugins institutions Directory
Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in e-plugins Institutions Directory institutions-directory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Institutions Directory: from n/a through <= 1.3..4.
Title WordPress Institutions Directory plugin <= 1.3..4 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

E-plugins Institutions Directory
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:27.820Z

Reserved: 2025-12-15T10:01:11.955Z

Link: CVE-2025-68058

cve-icon Vulnrichment

Updated: 2026-01-28T16:58:29.912Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:09.743

Modified: 2026-04-27T19:16:24.040

Link: CVE-2025-68058

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T10:00:06Z

Weaknesses