ByteOS Network

Vulnerability Details :

CVE-2026-25420

Assigner Org ID-21595511-bba5-4825-b968-b78d1f9984a3

Published At-19 Feb, 2026 | 08:27

Updated At-20 Feb, 2026 | 15:22

WordPress MailerLite plugin <= 1.7.18 - Broken Access Control vulnerability

Missing Authorization vulnerability in MailerLite MailerLite official-mailerlite-sign-up-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MailerLite: from n/a through <= 1.7.18.

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

▼Common Vulnerabilities and Exposures (CVE)

cve.org

Assigner:Patchstack

Assigner Org ID:21595511-bba5-4825-b968-b78d1f9984a3

Published At:19 Feb, 2026 | 08:27

Updated At:20 Feb, 2026 | 15:22

▼CVE Numbering Authority (CNA)

WordPress MailerLite plugin <= 1.7.18 - Broken Access Control vulnerability

Affected Products

Vendor

MailerLite

Product

MailerLite

Collection URL

https://wordpress.org/plugins

Package Name

official-mailerlite-sign-up-forms

Default Status

unaffected

Versions

Affected

From n/a through <= 1.7.18 (custom)
- -> unaffectedfrom1.7.19

Problem Types

Type	CWE ID	Description
CWE	CWE-862	Missing Authorization

Type: CWE

CWE ID: CWE-862

Description: Missing Authorization

Impacts

CAPEC ID	Description
CAPEC-180	Exploiting Incorrectly Configured Access Control Security Levels

CAPEC ID: CAPEC-180

Description: Exploiting Incorrectly Configured Access Control Security Levels

Credits

finder

daroo | Patchstack Bug Bounty Program

References

Hyperlink	Resource
https://patchstack.com/database/Wordpress/Plugin/official-mailerlite-sign-up-forms/vulnerability/wordpress-mailerlite-plugin-1-7-18-broken-access-control-vulnerability?_s_id=cve	vdb-entry

Hyperlink: https://patchstack.com/database/Wordpress/Plugin/official-mailerlite-sign-up-forms/vulnerability/wordpress-mailerlite-plugin-1-7-18-broken-access-control-vulnerability?_s_id=cve

Resource:

vdb-entry

▼Authorized Data Publishers (ADP)

CISA ADP Vulnrichment

Metrics

Version	Base score	Base severity	Vector
3.1	4.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Version: 3.1

Base score: 4.3

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Metrics Other Info

▼National Vulnerability Database (NVD)

nvd.nist.gov

Source:audit@patchstack.com

Published At:19 Feb, 2026 | 09:16

Updated At:19 Feb, 2026 | 15:52

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Weaknesses

CWE ID	Type	Source
CWE-862	Primary	audit@patchstack.com

CWE ID: CWE-862

Type: Primary

Source: audit@patchstack.com

References

Hyperlink	Source	Resource
https://patchstack.com/database/Wordpress/Plugin/official-mailerlite-sign-up-forms/vulnerability/wordpress-mailerlite-plugin-1-7-18-broken-access-control-vulnerability?_s_id=cve	audit@patchstack.com	N/A

Hyperlink: https://patchstack.com/database/Wordpress/Plugin/official-mailerlite-sign-up-forms/vulnerability/wordpress-mailerlite-plugin-1-7-18-broken-access-control-vulnerability?_s_id=cve

Source: audit@patchstack.com

Resource: N/A

Similar CVEs

65Records found

CVE-2025-31546

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-4.3||MEDIUM

EPSS-0.22% / 44.21%

7 Day CHG~0.00%

Published-31 Mar, 2025 | 12:55

Updated-01 Apr, 2025 | 20:26

WordPress Swiss Toolkit For WP plugin <= 1.3.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in WP Messiah Swiss Toolkit For WP allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Swiss Toolkit For WP: from n/a through 1.3.0.

Vendor-WP Messiah

Product-Swiss Toolkit For WP

CWE ID-CWE-862

Missing Authorization

CVE-2025-31830

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-4.3||MEDIUM

EPSS-0.22% / 44.21%

7 Day CHG~0.00%

Published-01 Apr, 2025 | 14:51

Updated-01 Apr, 2025 | 20:26

WordPress Printus Plugin <= 1.2.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in Uriahs Victor Printus allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Printus: from n/a through 1.2.6.

Vendor-Uriahs Victor

Product-Printus

CWE ID-CWE-862

Missing Authorization

CVE-2025-30978

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-4.3||MEDIUM

EPSS-0.07% / 21.19%

7 Day CHG~0.00%

Published-06 Jun, 2025 | 12:54

Updated-06 Jun, 2025 | 16:25

WordPress Slack Notifications by dorzki <= 2.0.7 - Broken Access Control Vulnerability

Missing Authorization vulnerability in Dor Zuberi Slack Notifications by dorzki allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Slack Notifications by dorzki: from n/a through 2.0.7.

Vendor-Dor Zuberi

Product-Slack Notifications by dorzki

CWE ID-CWE-862

Missing Authorization

CVE-2025-28938

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-4.3||MEDIUM

EPSS-0.12% / 31.49%

7 Day CHG~0.00%

Published-11 Mar, 2025 | 21:01

Updated-12 Mar, 2025 | 13:48

WordPress WP Performance Pack plugin <= 2.5.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in Bjoern WP Performance Pack allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Performance Pack: from n/a through 2.5.3.

Vendor-Bjoern

Product-WP Performance Pack

CWE ID-CWE-862

Missing Authorization

CVE-2025-26955

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-4.3||MEDIUM

EPSS-0.22% / 44.21%

7 Day CHG~0.00%

Published-15 Apr, 2025 | 11:59

Updated-15 Apr, 2025 | 18:39

WordPress Industrial Lite theme <= 1.0.8 - Broken Access Control vulnerability

Missing Authorization vulnerability in VW Themes Industrial Lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Industrial Lite: from n/a through 1.0.8.

Vendor-VW Themes

Product-Industrial Lite

CWE ID-CWE-862

Missing Authorization

CVE-2024-7605

Matching Score-4

Assigner-Wordfence

View Details

Matching Score-4

Assigner-Wordfence

CVSS Score-4.3||MEDIUM

EPSS-0.13% / 32.62%

7 Day CHG~0.00%

Published-05 Sep, 2024 | 11:00

Updated-12 Sep, 2024 | 14:24

HelloAsso <= 1.1.10 - Missing Authorization to Authenticated (Contributor+) Limited Options Update

The HelloAsso plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ha_ajax' function in all versions up to, and including, 1.1.10. This makes it possible for authenticated attackers, with Contributor-level access and above, to update plugin options, potentially disrupting the service.

Vendor-helloasso helloasso

Product-helloasso HelloAsso

CWE ID-CWE-862

Missing Authorization

CVE-2024-54402

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-4.3||MEDIUM

EPSS-0.14% / 34.40%

7 Day CHG~0.00%

Published-16 Dec, 2024 | 14:14

Updated-16 Dec, 2024 | 19:59

WordPress Arabic Webfonts plugin <= 1.4.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in Jozoor Arabic Webfonts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Arabic Webfonts: from n/a through 1.4.6.

Vendor-Jozoor

Product-Arabic Webfonts

CWE ID-CWE-862

Missing Authorization

CVE-2024-55994

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-4.3||MEDIUM

EPSS-0.17% / 37.45%

7 Day CHG~0.00%

Published-16 Dec, 2024 | 14:14

Updated-16 Dec, 2024 | 19:44

WordPress 畅言评论系统 plugin <= 2.0.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in 搜狐畅言畅言评论系统 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 畅言评论系统: from n/a through 2.0.5.

Vendor-搜狐畅言

Product-畅言评论系统

CWE ID-CWE-862

Missing Authorization

CVE-2024-5489

Matching Score-4

Assigner-Wordfence

View Details

Matching Score-4

Assigner-Wordfence

CVSS Score-4.3||MEDIUM

EPSS-0.13% / 32.62%

7 Day CHG~0.00%

Published-06 Jun, 2024 | 11:33

Updated-01 Aug, 2024 | 21:11

Wbcom Designs - Custom Font Uploader <= 2.3.4 - Missing Authorization to Font Deletion

The Wbcom Designs – Custom Font Uploader plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'cfu_delete_customfont' function in all versions up to, and including, 2.3.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete any custom font.

Vendor-wbcomdesigns wbcomdesigns

Product-custom_font_uploader Wbcom Designs – Custom Font Uploader

CWE ID-CWE-862

Missing Authorization

CVE-2024-43118

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-4.3||MEDIUM

EPSS-0.24% / 47.06%

7 Day CHG~0.00%

Published-01 Nov, 2024 | 14:17

Updated-15 May, 2025 | 17:25

WordPress Hummingbird plugin <= 3.9.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in WPMU DEV Hummingbird allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hummingbird: from n/a through 3.9.1.

Vendor-Incsub, LLC

Product-hummingbird Hummingbird

CWE ID-CWE-862

Missing Authorization

CVE-2024-43119

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-4.3||MEDIUM

EPSS-0.12% / 31.59%

7 Day CHG~0.00%

Published-01 Nov, 2024 | 14:17

Updated-01 Nov, 2024 | 20:24

WordPress Aruba HiSpeed Cache plugin <= 2.0.12 - Broken Access Control vulnerability

Missing Authorization vulnerability in Aruba.It Aruba HiSpeed Cache allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Aruba HiSpeed Cache: from n/a through 2.0.12.

Vendor-Aruba.it

Product-Aruba HiSpeed Cache

CWE ID-CWE-862

Missing Authorization

CVE-2023-22708

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-4.3||MEDIUM

EPSS-0.16% / 36.80%

7 Day CHG~0.00%

Published-09 Dec, 2024 | 11:31

Updated-09 Dec, 2024 | 18:40

WordPress Kraken.io Image Optimizer plugin <= 2.6.7 - Broken Access Control vulnerability

Missing Authorization vulnerability in Karim Salman Kraken.io Image Optimizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Kraken.io Image Optimizer: from n/a through 2.6.7.

Vendor-Karim Salman

Product-Kraken.io Image Optimizer

CWE ID-CWE-862

Missing Authorization

CVE-2024-56217

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-4.3||MEDIUM

EPSS-0.07% / 22.46%

7 Day CHG~0.00%

Published-31 Dec, 2024 | 10:21

Updated-21 Mar, 2025 | 15:48

WordPress Download Manager plugin <= 3.3.03 - Broken Access Control vulnerability

Missing Authorization vulnerability in W3 Eden, Inc. Download Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download Manager: from n/a through 3.3.03.

Vendor-W3 Eden, Inc.

Product-download_manager Download Manager

CWE ID-CWE-862

Missing Authorization

CVE-2024-56219

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-4.3||MEDIUM

EPSS-0.11% / 28.94%

7 Day CHG~0.00%

Published-31 Dec, 2024 | 10:22

Updated-31 Dec, 2024 | 15:41

WordPress Widget Options plugin <= 4.0.6.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in MarketingFire Widget Options allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Widget Options: from n/a through 4.0.6.1.

Vendor-MarketingFire

Product-Widget Options

CWE ID-CWE-862

Missing Authorization

CVE-2024-54679

Matching Score-4

Assigner-MITRE Corporation

View Details

Matching Score-4

Assigner-MITRE Corporation

CVSS Score-4.3||MEDIUM

EPSS-2.20% / 84.13%

7 Day CHG+0.04%

Published-05 Dec, 2024 | 00:00

Updated-05 Sep, 2025 | 13:39

CyberPanel (aka Cyber Panel) before 6778ad1 does not require the FilemanagerAdmin capability for restartMySQL actions.

Vendor-n/a CyberPersons LLC

Product-cyberpanel n/a

CWE ID-CWE-862

Missing Authorization

CVE-2026-25420

Credits

WordPress MailerLite plugin <= 1.7.18 - Broken Access Control vulnerability

Vendors

Products

Metrics (CVSS)

Weaknesses

Attack Patterns

Solution/Workaround

References

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

Stakeholder-Specific Vulnerability Categorization (SSVC)

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History

Similar CVEs