CVE-2025-0958

medium

Description

The Ultimate WordPress Auction Plugin plugin for WordPress is vulnerable to unauthorized access to functionality in all versions up to, and including, 4.2.9. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary auctions, posts as well as pages and allows them to execute other actions related to auction handling.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/af3675c9-3a6b-4139-85e8-2fc57f290e82?source=cve

https://plugins.trac.wordpress.org/changeset/3242416/ultimate-auction/trunk/ultimate-auction.php

https://plugins.trac.wordpress.org/browser/ultimate-auction/trunk/ultimate-auction.php#L274

https://plugins.trac.wordpress.org/browser/ultimate-auction/trunk/ultimate-auction.php#L219

https://plugins.trac.wordpress.org/browser/ultimate-auction/trunk/ajax-actions/send-private-msg.php#L35

Details

Source: Mitre, NVD

Published: 2025-03-04

Updated: 2025-03-04

Risk Information

CVSS v2

Base Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 5.4

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Severity: Medium

EPSS

EPSS: 0.00054