Info Cards CVE-2025-54711
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in bPlugins Info Cards info-cards allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Info Cards: from n/a through <= 1.0.11.
AnalysisAI
Broken access control in Info Cards WordPress plugin 1.0.11 and earlier allows authenticated users to access administrative functions without proper authorization checks. Authenticated low-privilege users can exploit missing ACLs to perform unauthorized modifications or cause denial of service conditions. Reported by Patchstack audit team with authentication bypass classification. EPSS score of 0.05% (16th percentile) indicates low observed exploitation probability, with no CISA KEV listing or public exploit code identified at time of analysis.
Technical ContextAI
This is a CWE-862 (Missing Authorization) vulnerability in the Info Cards WordPress plugin by bPlugins. The plugin fails to properly implement Access Control Lists (ACLs) on administrative functionality, allowing authenticated users with low privileges to bypass role-based restrictions. In WordPress security contexts, proper authorization checks (using current_user_can() or equivalent capability checks) must validate that users have appropriate permissions before executing sensitive operations. This vulnerability affects the plugin's core authorization architecture rather than a specific feature, suggesting missing or improperly implemented capability checks across admin endpoints or AJAX handlers.
Affected ProductsAI
WordPress Info Cards plugin by bPlugins, versions 1.0.11 and all earlier releases. The vulnerability affects the core authorization framework of the plugin. Vendor details and specific version introduction point not confirmed from available data. Patchstack advisory available at https://patchstack.com/database/Wordpress/Plugin/info-cards/vulnerability/wordpress-info-cards-plugin-1-0-11-broken-access-control-vulnerability
RemediationAI
Update Info Cards plugin to version 1.0.12 or later if available (check WordPress plugin repository or vendor release notes). As of analysis time, specific patched version not independently confirmed from NVD or vendor advisory. Until patch is applied, implement compensating controls: restrict WordPress user registration to trusted users only via Settings > General > Membership (uncheck 'Anyone can register'), review and minimize existing low-privilege user accounts, implement IP-based access restrictions to wp-admin for non-administrator roles using .htaccess or firewall rules (trade-off: may impact legitimate remote contributors). Monitor WordPress audit logs for unauthorized admin-level actions by subscriber/contributor accounts. For high-risk environments, temporarily deactivate the Info Cards plugin until vendor confirmation of patched release. Verify fix version and changelog at plugin repository before upgrading.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today