Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in lvaudore The Moneytizer the-moneytizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Moneytizer: from n/a through <= 10.0.10.
AnalysisAI
Missing authorization in The Moneytizer WordPress plugin through version 10.0.10 allows unauthenticated remote attackers to modify content via incorrectly configured access control, enabling unauthorized data integrity changes without requiring authentication or user interaction. While CVSS scores 5.3 (medium) and EPSS exploitation probability is minimal at 0.02%, the lack of authentication requirements and network accessibility make this a persistent authorization bypass affecting all installations of vulnerable versions.
Technical ContextAI
The Moneytizer WordPress plugin implements access control mechanisms that fail to properly validate user permissions before allowing state-changing operations. This is a CWE-862 (Missing Authorization) vulnerability where the application checks whether an action is allowed but fails to verify that the user performing the action has sufficient privileges. The vulnerability resides in the plugin's backend request handlers, which process user input without proper role-based access control (RBAC) enforcement. WordPress plugins typically extend wp-admin functionality; this vulnerability suggests certain administrative or data-modification endpoints lack capability checks (e.g., missing current_user_can() validation in action handlers). The affected CPE (cpe:2.3:a:lvaudore:the_moneytizer:*:*:*:*:*:*:*:*) indicates all versions up to 10.0.10 are vulnerable.
RemediationAI
Upgrade The Moneytizer WordPress plugin to a patched version beyond 10.0.10. Vendors typically release patched versions shortly after vulnerability disclosure; consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/the-moneytizer/vulnerability/wordpress-the-moneytizer-plugin-10-0-10-broken-access-control-vulnerability) for the exact fixed version number. If automatic updates are enabled in WordPress, the patch will install automatically. Site administrators should verify the plugin version in WordPress admin dashboard (Plugins > Installed Plugins > The Moneytizer) and manually update via Plugins > Available Updates if needed. As a temporary mitigation, restrict admin access via WordPress user roles (only trusted administrators should have plugin management capabilities), though this does not eliminate the vulnerability itself.
More in The Moneytizer
View allThe The Moneytizer plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of
The The Moneytizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20373
GHSA-3mhr-hwm3-pcr6