Description
Missing Authorization vulnerability in Kraft Plugins Wheel of Life wheel-of-life allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wheel of Life: from n/a through <= 1.2.0.
Published: 2026-02-19
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass via Broken Access Control
Action: Patch
AI Analysis

Impact

The vulnerability in the Wheel of Life WordPress plugin stems from a missing authorization check, allowing users to trigger privileged functions without proper verification. This flaw leads to an authorization bypass, enabling attackers to elevate privileges within the plugin, potentially exposing sensitive configuration or manipulating plugin data. The weakness is classified as CWE‑862, reflecting a failure to enforce adequate access control.

Affected Systems

WordPress sites that have installed Kraft Plugins Wheel of Life version 1.2.0 or earlier are impacted. The vulnerability does not affect newer releases beyond 1.2.0, but any site still running the affected plugin version remains at risk.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, while the EPSS value of less than 1% suggests a very low probability of exploitation in the wild. The vulnerability is not currently listed in CISA’s KEV catalog. Because the flaw requires access to a request that is not properly authorized, the attack vector is likely local to users who can reach the plugin’s administration interface, however the exact prerequisites are not fully detailed in the available description.

Generated by OpenCVE AI on April 16, 2026 at 00:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Wheel of Life plugin to a version newer than 1.2.0 to apply the vendor fix.
  • If an immediate update is not possible, restrict access to the plugin’s administrative functionality by enforcing stricter WordPress role permissions or using a role‑based access control solution.
  • Validate that no other plugins on the site contain similar missing authorization weaknesses by conducting a periodic audit of all installed plugins.

Generated by OpenCVE AI on April 16, 2026 at 00:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Kraftplugins
Kraftplugins wheel Of Life
Wordpress
Wordpress wordpress
Vendors & Products Kraftplugins
Kraftplugins wheel Of Life
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Thu, 19 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Kraft Plugins Wheel of Life wheel-of-life allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wheel of Life: from n/a through <= 1.2.0.
Title WordPress Wheel of Life plugin <= 1.2.0 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Kraftplugins Wheel Of Life
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:52.865Z

Reserved: 2026-01-28T09:50:57.103Z

Link: CVE-2026-25000

cve-icon Vulnrichment

Updated: 2026-02-19T21:42:55.862Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T09:16:13.927

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25000

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T00:45:15Z

Weaknesses