WordPress
CVE-2025-10303
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Library Management System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the owt7_library_management_ajax_handler() function in all versions up to, and including, 3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update and manipulate several of the plugin's settings and features.
AnalysisAI
Library Management System plugin for WordPress versions up to 3.1 allows authenticated Subscriber-level users to modify plugin settings and features due to missing capability checks in the owt7_library_management_ajax_handler() AJAX function. An attacker with minimal WordPress account privileges can remotely manipulate plugin configuration without administrative authorization, leading to unauthorized changes to library data and system behavior. No active exploitation or public exploit code has been identified at this time.
Technical ContextAI
The vulnerability stems from a missing capability check (CWE-862: Missing Authorization) in the AJAX handler function owt7_library_management_ajax_handler() within the Library Management System WordPress plugin. This handler processes AJAX requests that modify plugin settings but fails to verify that the requesting user possesses the required administrative capabilities before performing write operations. WordPress capability checks (typically requiring 'manage_options' or similar admin-level permissions) are the standard authorization mechanism for plugin settings. The CVSS vector (PR:L) confirms the attack requires authenticated login, but the missing capability check allows any authenticated user-including those with only Subscriber role-to escalate their effective permissions over plugin functionality.
Affected ProductsAI
Library Management System plugin for WordPress in all versions up to and including 3.1. The plugin is distributed via the official WordPress plugin repository at plugins.trac.wordpress.org. Organizations running the WordPress plugin with default configurations allowing Subscriber-level user registration are directly affected.
RemediationAI
Update Library Management System plugin to version 3.2 or later, which includes a patch implementing proper capability checks on the owt7_library_management_ajax_handler() function (per WordPress plugin repository changeset 3382258). Site administrators should navigate to WordPress Dashboard > Plugins > Installed Plugins, locate Library Management System, and click Update to the latest version. As an interim measure on sites where immediate patching is not feasible, restrict user registration to trusted accounts only and audit existing user roles to remove Subscriber access for non-essential users. Verify no unauthorized settings modifications have occurred by comparing plugin settings against documented baseline configurations. Wordfence vulnerability intelligence page (https://www.wordfence.com/threat-intel/vulnerabilities/id/9e45feb6-5ffa-4ad3-9549-4414988f040e) provides additional monitoring guidance.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today