Skip to main content

Gzseo EUVDEUVD-2026-15727

| CVE-2026-25437 MEDIUM
Missing Authorization (CWE-862)
2026-03-25 Patchstack GHSA-g9vx-ghxj-8mhw
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15727
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
MEDIUM 6.5

DescriptionCVE.org

Missing Authorization vulnerability in سید محمدامین هاشمی GZSEO gzseo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GZSEO: from n/a through <= 2.0.14.

AnalysisAI

GZSEO through version 2.0.14 contains an authorization bypass that allows unauthenticated remote attackers to modify data or cause service disruption through improperly configured access controls. The vulnerability enables attackers to exploit weakened security levels without requiring valid credentials or user interaction. No patch is currently available for this vulnerability.

Technical ContextAI

The vulnerability is a broken access control issue (CWE-862: Missing Authorization) in the GZSEO WordPress plugin, as identified via CPE cpe:2.3:a:سید_محمدامین_هاشمی:gzseo:*:*:*:*:*:*:*:*. GZSEO is a WordPress plugin for SEO optimization, and the vulnerability stems from insufficient authorization checks on security-sensitive functions or API endpoints. The plugin fails to properly validate user roles and capabilities before allowing access to restricted features, permitting authenticated or unauthenticated attackers to bypass access controls and interact with protected administrative or data-manipulation functions.

RemediationAI

Upgrade the GZSEO plugin to a version after 2.0.14 immediately to obtain the access control fixes. Site administrators should navigate to their WordPress plugin management dashboard, locate GZSEO, and update to the latest available version. If immediate patching is not possible, site administrators should consider temporarily disabling the GZSEO plugin and relying on alternative SEO solutions until a patch can be applied. Additionally, enforce strict user role and capability restrictions within WordPress, limiting administrative access to trusted personnel only, and monitor plugin activity logs for any suspicious access patterns that may indicate exploitation attempts.

Share

EUVD-2026-15727 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy