Skip to main content

Info Cards CVE-2025-54711

HIGH
Missing Authorization (CWE-862)
2025-11-06 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

4
Analysis Updated
Apr 24, 2026 - 00:45 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 19:20 vuln.today
CVE Published
Nov 06, 2025 - 16:15 nvd
HIGH 7.1

DescriptionCVE.org

Missing Authorization vulnerability in bPlugins Info Cards info-cards allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Info Cards: from n/a through <= 1.0.11.

AnalysisAI

Broken access control in Info Cards WordPress plugin 1.0.11 and earlier allows authenticated users to access administrative functions without proper authorization checks. Authenticated low-privilege users can exploit missing ACLs to perform unauthorized modifications or cause denial of service conditions. Reported by Patchstack audit team with authentication bypass classification. EPSS score of 0.05% (16th percentile) indicates low observed exploitation probability, with no CISA KEV listing or public exploit code identified at time of analysis.

Technical ContextAI

This is a CWE-862 (Missing Authorization) vulnerability in the Info Cards WordPress plugin by bPlugins. The plugin fails to properly implement Access Control Lists (ACLs) on administrative functionality, allowing authenticated users with low privileges to bypass role-based restrictions. In WordPress security contexts, proper authorization checks (using current_user_can() or equivalent capability checks) must validate that users have appropriate permissions before executing sensitive operations. This vulnerability affects the plugin's core authorization architecture rather than a specific feature, suggesting missing or improperly implemented capability checks across admin endpoints or AJAX handlers.

Affected ProductsAI

WordPress Info Cards plugin by bPlugins, versions 1.0.11 and all earlier releases. The vulnerability affects the core authorization framework of the plugin. Vendor details and specific version introduction point not confirmed from available data. Patchstack advisory available at https://patchstack.com/database/Wordpress/Plugin/info-cards/vulnerability/wordpress-info-cards-plugin-1-0-11-broken-access-control-vulnerability

RemediationAI

Update Info Cards plugin to version 1.0.12 or later if available (check WordPress plugin repository or vendor release notes). As of analysis time, specific patched version not independently confirmed from NVD or vendor advisory. Until patch is applied, implement compensating controls: restrict WordPress user registration to trusted users only via Settings > General > Membership (uncheck 'Anyone can register'), review and minimize existing low-privilege user accounts, implement IP-based access restrictions to wp-admin for non-administrator roles using .htaccess or firewall rules (trade-off: may impact legitimate remote contributors). Monitor WordPress audit logs for unauthorized admin-level actions by subscriber/contributor accounts. For high-risk environments, temporarily deactivate the Info Cards plugin until vendor confirmation of patched release. Verify fix version and changelog at plugin repository before upgrading.

Share

CVE-2025-54711 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy