CVE-2025-4654

The Soumettre.fr plugin for WordPress is vulnerable to unauthorized access and modification of data due to a improper authorization checks on the make_signature function in all versions up to, and including, 2.1.5. This makes it possible for unauthenticated attackers to create/edit/delete Soumettre posts. This vulnerability affects only installations where the soumettre account is not connected (i.e. API key is not installed)

CVSS v3 3.7 LOW

3.7^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/soumettre-fr/tags/2.1.5/public/rest/class-soumettre-rest-route.php#L211
https://www.wordfence.com/threat-intel/vulnerabilities/id/4f29d476-0730-437c-8065-309523278efa?source=cve

Configurations

No configuration.

History

03 Jul 2025, 15:14

Type	Values Removed	Values Added
Summary		(es) El complemento Soumettre.fr para WordPress es vulnerable al acceso y la modificación de datos no autorizados debido a comprobaciones de autorización incorrectas en la función make_signature en todas las versiones hasta la 2.1.5 incluida. Esto permite que atacantes no autenticados creen, editen o eliminen publicaciones de Soumettre. Esta vulnerabilidad solo afecta a las instalaciones donde la cuenta de Soumettre no está conectada (es decir, la clave API no está instalada).

02 Jul 2025, 04:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-02 04:15

Updated : 2025-07-03 15:14

NVD link : CVE-2025-4654

Mitre link : CVE-2025-4654

CVE.ORG link : CVE-2025-4654

JSON object : View

Products Affected

No product.

CWE

CWE-285

Improper Authorization

3.7 /10