Description
Missing Authorization vulnerability in Addonify Addonify addonify-quick-view allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Addonify: from n/a through <= 2.0.4.
Published: 2025-12-24
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Missing authorization logic in the Addonify Quick View plugin allows attackers to exploit improperly configured access control levels, potentially granting unauthorized users privileged access to plugin functionality. The weakness could lead to sensitive information exposure or modification if the restricted actions are misused.

Affected Systems

The vulnerability affects the Addonify Quick View plugin (Addonify) distributed for WordPress, with all released versions up to and including 2.0.4 exposed.

Risk and Exploitability

The CVSS score of 5.3 points to a medium severity issue, while the EPSS score of less than 1% indicates a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog, and there is no evidence of a current active exploit. Attackers would typically need to interact with the plugin’s web interface or craft specific requests to bypass normal WordPress role checks. Mitigation requires applying the vendor’s patch or taking only temporary controls.

Generated by OpenCVE AI on April 29, 2026 at 15:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Addonify Quick View plugin to a version newer than 2.0.4, ensuring that the release includes the access control fix.
  • If an update cannot be applied immediately, disable or remove the plugin from the WordPress site until a fixed version is available.
  • Review WordPress role definitions and verify that only authorized users can access the plugin’s administrative features, enforcing proper capability checks.

Generated by OpenCVE AI on April 29, 2026 at 15:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 29 Dec 2025 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 24 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 24 Dec 2025 13:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Addonify Addonify addonify-quick-view allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Addonify: from n/a through <= 2.0.4.
Title WordPress Addonify plugin <= 2.0.4 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:30.691Z

Reserved: 2025-12-19T10:17:34.322Z

Link: CVE-2025-68578

cve-icon Vulnrichment

Updated: 2025-12-24T18:50:38.743Z

cve-icon NVD

Status : Deferred

Published: 2025-12-24T13:16:24.893

Modified: 2026-04-27T19:16:32.780

Link: CVE-2025-68578

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T15:30:14Z

Weaknesses