CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-4105: Splitit <= 4.2.8 - Missing Authorization to Multiple Administrative Actions

5.4 CVSS

Description

The Splitit plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on several functions in the 'splitIt-flexfields-payment-gateway.php' file in all versions up to, and including, 4.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change plugin settings, including changing the environment from sandbox to production and vice versa.

Classification

CVE ID: CVE-2025-4105

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.4

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Problem Types

CWE-862 Missing Authorization

Affected Products

Vendor: splitit

Product: Splitit

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 6.06% (scored less or equal to compared to others)

EPSS Date: 2025-06-19 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-4105
https://www.wordfence.com/threat-intel/vulnerabilities/id/6471b075-8115-4d38-a7dd-2308dca69f15?source=cve
https://plugins.trac.wordpress.org/browser/splitit-installment-payments/tags/4.2.6/splitIt-flexfields-payment-gateway.php#L765
https://plugins.trac.wordpress.org/browser/splitit-installment-payments/tags/4.2.6/splitIt-flexfields-payment-gateway.php#L1927

Timeline

2025-05-21 10:40:22 UTC
CVE

Splitit <= 4.2.8 - Missing Authorization to Multiple Administrative Actions