CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-0958: Ultimate WordPress Auction Plugin <= 4.2.9 - Missing Authorization to Arbitrary Post Deletion

5.4 CVSS

Description

The Ultimate WordPress Auction Plugin plugin for WordPress is vulnerable to unauthorized access to functionality in all versions up to, and including, 4.2.9. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary auctions, posts as well as pages and allows them to execute other actions related to auction handling.

Classification

CVE ID: CVE-2025-0958

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.4

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Problem Types

CWE-20 Improper Input Validation

Affected Products

Vendor: nitesh_singh

Product: Ultimate WordPress Auction Plugin

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 13.86% (scored less or equal to compared to others)

EPSS Date: 2025-04-02 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-0958
https://www.wordfence.com/threat-intel/vulnerabilities/id/af3675c9-3a6b-4139-85e8-2fc57f290e82?source=cve
https://plugins.trac.wordpress.org/browser/ultimate-auction/trunk/ultimate-auction.php#L274
https://plugins.trac.wordpress.org/browser/ultimate-auction/trunk/ultimate-auction.php#L219
https://plugins.trac.wordpress.org/browser/ultimate-auction/trunk/ajax-actions/send-private-msg.php#L35
https://plugins.trac.wordpress.org/changeset/3242416/ultimate-auction/trunk/ultimate-auction.php

Timeline

2025-03-04 10:40:09 UTC
CVE

Ultimate WordPress Auction Plugin <= 4.2.9 - Missing Authorization to Arbitrary Post Deletion