{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25462", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:53.793Z", "datePublished": "2026-03-25T16:14:51.394Z", "dateUpdated": "2026-03-25T16:14:51.394Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "avalex", "product": "avalex", "vendor": "avalex", "versions": [{"changes": [{"at": "3.1.4", "status": "unaffected"}], "lessThanOrEqual": "<= 3.1.3", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:29.536Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in avalex avalex avalex allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects avalex: from n/a through <= 3.1.3.</p>"}], "value": "Missing Authorization vulnerability in avalex avalex avalex allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects avalex: from n/a through <= 3.1.3."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:51.394Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/avalex/vulnerability/wordpress-avalex-plugin-3-1-3-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress avalex plugin <= 3.1.3 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in avalex avalex avalex allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects avalex: from n/a through <= 3.1.3."}], "id": "CVE-2026-25462", "lastModified": "2026-03-25T17:16:52.430", "metrics": {}, "published": "2026-03-25T17:16:52.430", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/avalex/vulnerability/wordpress-avalex-plugin-3-1-3-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T19:50:12.114556+00:00", "value": {"mitigation_remediation": ["Upgrade the Avalex plugin to a version newer than 3.1.3.", "If upgrading is not feasible, disable or remove the plugin entirely.", "Restrict access to the plugin\u2019s administrative endpoints so that only privileged users can reach them.", "Keep the WordPress core and all other plugins at their latest secure releases.", "Monitor site logs for abnormal access patterns that may indicate exploitation attempts."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "All WordPress sites running avalex plugin versions 3.1.3 or earlier are affected. The plugin is distributed by avalex and can be installed on any WordPress installation that has chosen to use it.", "description_and_impact": "Missing authorization in the avalex WordPress plugin allows any user to access privileged administrative functions, effectively bypassing expected authorization controls. This flaw maps to CWE\u2011862, Authorization Bypass Through User-Controlled Key, and can let an attacker create, modify, or delete content, thereby compromising confidentiality, integrity, and availability of the site.", "risk_and_exploitability": "Attackers can exploit the flaw via standard HTTP requests to the plugin\u2019s administrative endpoints without needing credentials, suggesting a remote, server-side attack vector. No CVSS score was reported, but the missing authorization nature implies high severity. EPSS data is not available, and the vulnerability is not listed in CISA\u2019s KEV catalog, yet the potential for widespread impact remains."}}}}, "created": "2026-03-25T21:44:18.191709+00:00", "updated": "2026-03-25T21:44:18.191795+00:00", "vendors": []}