Skip to main content

Admin Safety Guard CVE-2026-25471

| EUVDEUVD-2026-13063 HIGH
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-03-19 Patchstack
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 23, 2026 - 16:12 vuln.today
cvss_changed
EUVD ID Assigned
Mar 19, 2026 - 07:45 euvd
EUVD-2026-13063
Analysis Generated
Mar 19, 2026 - 07:45 vuln.today
CVE Published
Mar 19, 2026 - 07:17 nvd
HIGH 8.1

DescriptionCVE.org

Authentication Bypass Using an Alternate Path or Channel vulnerability in Themepaste Admin Safety Guard allows Password Recovery Exploitation.This issue affects Admin Safety Guard: from n/a through 1.2.6.

AnalysisAI

The Admin Safety Guard WordPress plugin versions through 1.2.6 contains an authentication bypass vulnerability that allows attackers to exploit password recovery mechanisms through alternate paths or channels. Attackers can remotely compromise administrator accounts without authentication, leading to complete site takeover. The vulnerability has a CVSS score of 8.1 (High) with high attack complexity, though no EPSS data or KEV listing indicates limited observed exploitation to date.

Technical ContextAI

This vulnerability affects the Admin Safety Guard WordPress plugin developed by Themepaste, specifically targeting versions up to and including 1.2.6 as identified by CPE cpe:2.3:a:themepaste:admin_safety_guard:*:*:*:*:*:*:*:*. The root cause is classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel), which occurs when an application provides multiple authentication paths or channels but fails to properly secure alternative mechanisms. In this case, the password recovery functionality appears to implement an insecure alternate authentication channel that can be exploited to gain unauthorized access without proper credential validation. This represents a fundamental flaw in the security architecture where security controls can be circumvented by accessing the system through an unprotected or poorly protected route.

RemediationAI

Users of Admin Safety Guard should immediately upgrade to a version newer than 1.2.6 if available from the plugin developer Themepaste. Consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/admin-safety-guard/vulnerability/wordpress-admin-safety-guard-plugin-1-2-2-broken-authentication-vulnerability?_s_id=cve for specific patch guidance and version recommendations. If an updated version is not available or patching cannot be performed immediately, consider temporarily disabling the Admin Safety Guard plugin and implementing alternative WordPress security hardening measures such as enforcing strong password policies, implementing two-factor authentication through alternative plugins, limiting login attempts, and restricting administrative access to trusted IP addresses via server-level firewall rules or WordPress security plugins. Monitor WordPress admin login logs for suspicious password recovery attempts during the interim period.

Share

CVE-2026-25471 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy