Description
Missing Authorization vulnerability in e-plugins Institutions Directory institutions-directory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Institutions Directory: from n/a through <= 1.3.4.
Published: 2026-01-22
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Institutions Directory plugin suffers from a missing authorization check that lets a user perform actions beyond their intended privileges. The flaw, identified as CWE‑862, permits unauthorized access to restricted parts of the plugin’s interface, potentially exposing sensitive data or enabling modification of plugin-managed records. Because it is a client‑facing component, the impact is confined to users interacting with the WordPress site but can undermine data confidentiality and integrity if exploited.

Affected Systems

The vulnerability affects the WordPress Institutions Directory plugin from e‑plugins, in all releases through and including version 1.3.4. WordPress site administrators using this plugin are exposed until a newer, patched release is installed. Versions older than 1.3.4 are also affected, as the issue applies to the entire range of affected releases.

Risk and Exploitability

The CVSS score of 7.3 indicates a high impact if the flaw is leveraged, but the EPSS score of less than 1% shows a very low likelihood of active exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog. Exploitation would require access to the web interface of the affected site, most likely through authenticated requests; a remote attacker with valid user credentials could gain elevated access by interacting with the plugin’s administration pages.

Generated by OpenCVE AI on April 29, 2026 at 10:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Institutions Directory plugin to a version newer than 1.3.4.
  • If an upgrade is not immediately available, restrict the plugin’s admin pages to the ‘Administrator’ role by using WordPress role‑based access controls or a security plugin that limits endpoint access.
  • If the plugin cannot be disabled or restricted, consider uninstalling it or replacing it with a trusted alternative that implements proper authentication checks.

Generated by OpenCVE AI on April 29, 2026 at 10:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 27 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared E-plugins
E-plugins institutions Directory
Wordpress
Wordpress wordpress
Vendors & Products E-plugins
E-plugins institutions Directory
Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in e-plugins Institutions Directory institutions-directory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Institutions Directory: from n/a through <= 1.3.4.
Title WordPress Institutions Directory plugin <= 1.3.4 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

E-plugins Institutions Directory
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:43:52.334Z

Reserved: 2025-12-29T11:20:13.815Z

Link: CVE-2025-69184

cve-icon Vulnrichment

Updated: 2026-01-27T20:07:19.304Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:24.980

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69184

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T10:45:09Z

Weaknesses