CVE-2025-49334

2025-12-31 [email protected]
Authentication Bypass

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 16:15 nvd
N/A

DescriptionNVD

Authorization Bypass Through User-Controlled Key vulnerability in Eduardo Villão MyD Delivery myd-delivery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MyD Delivery: from n/a through <= 1.7.1.

AnalysisAI

Authorization bypass in MyD Delivery WordPress plugin through version 1.7.1 allows unauthenticated attackers to manipulate user-controlled keys to access resources without proper permission validation, exploiting misconfigured access control security levels. The vulnerability carries low exploitation probability (EPSS 0.04%) but represents a fundamental authorization flaw affecting the plugin's core access control mechanism.

Technical ContextAI

MyD Delivery is a WordPress plugin (CPE data not explicitly provided but inferred from plugin name and reference domain) that manages delivery operations. The vulnerability stems from CWE-639 (Authorization Through User-Controlled Key), which occurs when an application uses user-supplied input (such as a user ID, object ID, or session token) as the sole basis for authorization decisions without server-side validation or role-based access control enforcement. This class of vulnerability typically manifests in REST API endpoints, AJAX handlers, or direct object references where the plugin fails to verify that the authenticated user (or attacker) actually has permission to access the requested resource before returning sensitive data or executing privileged actions.

Affected ProductsAI

MyD Delivery WordPress plugin is affected in all versions from an unspecified baseline through version 1.7.1 inclusive. The plugin is hosted on WordPress.org plugin repository (patchstack.com reference indicates WordPress plugin ecosystem). No CPE string was provided in input data, but the affected software is identifiable as the MyD Delivery delivery management plugin for WordPress authored by Eduardo Villão.

RemediationAI

Update MyD Delivery plugin to the latest available version beyond 1.7.1 immediately. No specific patched version number is confirmed in the provided data; consult the plugin's WordPress.org page or the Patchstack vulnerability database reference (https://patchstack.com/database/Wordpress/Plugin/myd-delivery/) for the exact recommended version. As an interim mitigation pending patch availability, restrict plugin functionality or disable delivery-related API endpoints if they expose user-controlled authorization logic. Audit existing plugin installations for unauthorized access patterns in delivery records or user data.

Share

CVE-2025-49334 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy