Description
Missing Authorization vulnerability in Kraft Plugins Demo Importer Plus demo-importer-plus allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Demo Importer Plus: from n/a through <= 2.0.8.
Published: 2025-12-30
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization flaw in the Demo Importer Plus plugin for WordPress. It allows attackers to exploit incorrectly configured access controls, meaning that users may perform actions or access data that should require certain privileges. The defect aligns with CWE‑862, a broken access control weakness. No remote code execution or privilege escalation beyond the scope of the plugin’s functionality is documented.

Affected Systems

Affected systems include installations running Kraft Plugins Demo Importer Plus version 2.0.8 or earlier. The plugin is a WordPress add‑on that facilitates importing demo content, and the flaw applies across all platforms where WordPress and the plugin are deployed as long as the vulnerable version is active.

Risk and Exploitability

The CVSS score is 4.3, indicating a moderate impact. The EPSS score is less than 1%, suggesting that exploit attempts are currently rare or unlikely. The vulnerability is not listed in CISA's KEV catalog. Attackers could potentially exploit the flaw remotely by accessing unprotected admin routes within WordPress, making the attack vector likely remote over the web. Successful exploitation would grant unauthorized users access to the plugin’s import capabilities and any data they can import, but there is no evidence of further privilege escalation outside the plugin’s scope.

Generated by OpenCVE AI on April 29, 2026 at 10:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Demo Importer Plus to a version newer than 2.0.8.
  • If upgrading is not feasible, disable or uninstall the plugin until a patch is available.
  • Restrict the plugin’s functionality to administrator users only by configuring role-based access controls in WordPress.

Generated by OpenCVE AI on April 29, 2026 at 10:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Wed, 07 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Kraftplugins
Kraftplugins demo Importer Plus
Wordpress
Wordpress wordpress
Vendors & Products Kraftplugins
Kraftplugins demo Importer Plus
Wordpress
Wordpress wordpress

Tue, 30 Dec 2025 11:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Kraft Plugins Demo Importer Plus demo-importer-plus allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Demo Importer Plus: from n/a through <= 2.0.8.
Title WordPress Demo Importer Plus plugin <= 2.0.8 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Kraftplugins Demo Importer Plus
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:42:08.631Z

Reserved: 2025-12-29T11:19:16.970Z

Link: CVE-2025-69091

cve-icon Vulnrichment

Updated: 2026-01-07T15:20:24.794Z

cve-icon NVD

Status : Deferred

Published: 2025-12-30T11:16:02.443

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69091

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T10:15:08Z

Weaknesses