Skip to main content

Wpsubscription EUVDEUVD-2025-208999

| CVE-2025-69347 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-03-25 Patchstack GHSA-8jxq-2j45-8v3q
8.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

5
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
CVSS changed
Apr 23, 2026 - 15:43 NVD
8.5 (HIGH) 8.6 (HIGH)
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2025-208999
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 8.5

DescriptionCVE.org

Authorization Bypass Through User-Controlled Key vulnerability in Convers Lab WPSubscription subscription allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPSubscription: from n/a through <= 1.8.10.

AnalysisAI

WPSubscription plugin versions up to 1.8.10 contain an authorization bypass vulnerability allowing attackers to exploit incorrectly configured access control through user-controlled keys, enabling unauthorized access to subscription-related resources and functionality. The vulnerability affects WordPress installations running the affected WPSubscription plugin and could allow unauthenticated or low-privileged attackers to circumvent security controls. No CVSS score, EPSS data, or active KEV designation is currently available, though the vulnerability was reported by Patchstack security researchers and assigned ENISA EUVD ID EUVD-2025-208999.

Technical ContextAI

The vulnerability resides in the WPSubscription WordPress plugin (CPE: cpe:2.3:a:convers_lab:wpsubscription:*:*:*:*:*:*:*:*), which provides subscription management functionality for WordPress sites. The root cause is classified under CWE-639 (Authorization Through User-Controlled Key), indicating that the application uses attacker-controllable input (such as user IDs, subscription IDs, or session tokens) as the basis for access control decisions without proper server-side validation. The plugin fails to implement secure access control mechanisms, allowing attackers to manipulate object references (IDOR-style attack) to access or modify subscription data belonging to other users or administrative functions they should not have permission to access.

RemediationAI

Immediately upgrade WPSubscription to a version newer than 1.8.10 if a patch has been released by Convers Lab; check the vendor's official repository or website for availability. If no patched version is currently available, disable or deactivate the WPSubscription plugin until a fix is released to prevent exploitation. As an interim mitigation, restrict access to WordPress admin and subscription-related pages via web application firewall (WAF) rules, implement IP whitelisting for administrative functions, and enforce strong authentication such as two-factor authentication (2FA) on WordPress user accounts. Monitor server logs and WordPress audit logs for suspicious access patterns to subscription objects or IDOR-style parameter manipulation attempts. Once a patch is released, test it thoroughly in a staging environment before deploying to production.

Share

EUVD-2025-208999 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy