Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in MadrasThemes MAS Videos masvideos allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MAS Videos: from n/a through <= 1.3.2.
AnalysisAI
MAS Videos through version 1.3.2 contains an authorization bypass that allows unauthenticated attackers to modify data due to improper access control validation. An attacker can exploit this vulnerability over the network without user interaction to manipulate protected resources. No patch is currently available for this vulnerability.
Technical ContextAI
MAS Videos is a WordPress plugin developed by MadrasThemes that provides video management and hosting capabilities. The vulnerability stems from CWE-862 (Missing Authorization), a class of weakness where the application fails to enforce proper access control checks before allowing sensitive operations. The plugin does not adequately verify that users making requests to modify video content possess the necessary permissions or authentication tokens. This is a classic server-side access control failure where security decisions are either missing entirely or rely on client-side validation rather than server-side authorization enforcement. The vulnerability affects the plugin across versions up to and including 1.3.2, indicating a longstanding authorization bypass condition in the access control security levels implemented by the plugin.
RemediationAI
Immediately upgrade MAS Videos plugin to the latest available version beyond 1.3.2 through the WordPress plugin management interface or directly from MadrasThemes. Verify that the upgraded version includes proper authorization checks by reviewing the plugin changelog or security advisory from MadrasThemes. Until a patched version can be deployed, implement network-level access restrictions to limit plugin functionality to authenticated WordPress administrators only, and consider disabling video modification endpoints at the web server level using .htaccess or equivalent rules if the plugin is not actively in use. Additionally, conduct an audit of any video content modifications that occurred while running vulnerable versions to identify unauthorized changes.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11834