Description
Missing Authorization vulnerability in Marketing Fire Discussion Board wp-discussion-board allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Discussion Board: from n/a through <= 2.5.7.
Published: 2025-12-30
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization flaw in the Marketing Fire Discussion Board WordPress plugin, where incorrect access control security levels permit users to perform actions they should not be able to. This broken access control can enable an attacker to read, edit, or delete private discussion content and other protected data. The weakness is identified as CWE‑862, indicating a failure to enforce proper user authentication or authorization decisions.

Affected Systems

WordPress sites installing the Marketing Fire Discussion Board plugin with a version up to and including 2.5.7 are impacted. Versions before the first release are also affected. No specific sub‑versions are listed, so all 2.5.7 and earlier builds are at risk.

Risk and Exploitability

The CVSS score of 4.3 reflects moderate severity, and the EPSS score of less than 1% indicates a low probability of exploitation at the time of this analysis. The plugin is not listed in the CISA KEV catalog, suggesting no documented widespread exploitation. Attackers likely need to authenticate through a WordPress account that has the ability to access the plugin’s administrative interface or any misconfigured access level that elevates privileges. Once authenticated, the attacker can exploit the broken access control to alter or exfiltrate discussion content.

Generated by OpenCVE AI on April 29, 2026 at 11:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Marketing Fire Discussion Board plugin to version 2.5.8 or later, which removes the authorization flaw.
  • If an upgrade is not immediately feasible, restrict plugin functionality by assigning only the necessary user roles or disabling the plugin’s public endpoints until a fix is applied.
  • Review and enforce the WordPress role‑based access control settings to ensure that only authorized administrators can use the plugin’s management features.

Generated by OpenCVE AI on April 29, 2026 at 11:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Marketingfire
Marketingfire discussion Board
Wordpress
Wordpress wordpress
Vendors & Products Marketingfire
Marketingfire discussion Board
Wordpress
Wordpress wordpress

Fri, 02 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 30 Dec 2025 11:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Marketing Fire Discussion Board wp-discussion-board allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Discussion Board: from n/a through <= 2.5.7.
Title WordPress Discussion Board plugin <= 2.5.7 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Marketingfire Discussion Board
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:33:36.855Z

Reserved: 2025-12-29T11:18:30.573Z

Link: CVE-2025-69023

cve-icon Vulnrichment

Updated: 2026-01-02T20:46:48.065Z

cve-icon NVD

Status : Deferred

Published: 2025-12-30T11:16:00.763

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69023

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T11:15:09Z

Weaknesses