{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-4654", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-13T13:51:31.166Z", "datePublished": "2025-07-02T03:47:24.306Z", "dateUpdated": "2026-04-08T16:51:58.194Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:51:58.194Z"}, "affected": [{"vendor": "soumettre", "product": "Soumettre.fr", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.1.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Soumettre.fr plugin for WordPress is vulnerable to unauthorized access and modification of data due to a improper authorization checks on the make_signature function in all versions up to, and including, 2.1.5. This makes it possible for unauthenticated attackers to create/edit/delete Soumettre posts. This vulnerability affects only installations where the soumettre account is not connected (i.e. API key is not installed)"}], "title": "Soumettre.fr <= 2.1.5 - Improper Authorization to Unauthenticated Soumettre Posts Creation/Modification/Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4f29d476-0730-437c-8065-309523278efa?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/soumettre-fr/tags/2.1.5/public/rest/class-soumettre-rest-route.php#L211"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-285 Improper Authorization", "cweId": "CWE-285", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 3.7, "baseSeverity": "LOW"}}], "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc)"}], "timeline": [{"time": "2025-05-09T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-07-01T15:00:59.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-02T13:00:42.939504Z", "id": "CVE-2025-4654", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-02T13:18:44.866Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-4654", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-02T13:00:42.939504Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-02T13:05:23.430Z"}}], "cna": {"title": "Soumettre.fr <= 2.1.5 - Improper Authorization to Unauthenticated Soumettre Posts Creation/Modification/Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc)"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 3.7, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "soumettre", "product": "Soumettre.fr", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.1.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-05-09T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-07-01T15:00:59.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4f29d476-0730-437c-8065-309523278efa?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/soumettre-fr/tags/2.1.5/public/rest/class-soumettre-rest-route.php#L211"}], "descriptions": [{"lang": "en", "value": "The Soumettre.fr plugin for WordPress is vulnerable to unauthorized access and modification of data due to a improper authorization checks on the make_signature function in all versions up to, and including, 2.1.5. This makes it possible for unauthenticated attackers to create/edit/delete Soumettre posts. This vulnerability affects only installations where the soumettre account is not connected (i.e. API key is not installed)"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285 Improper Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:51:58.194Z"}}}, "cveMetadata": {"cveId": "CVE-2025-4654", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:51:58.194Z", "dateReserved": "2025-05-13T13:51:31.166Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-02T03:47:24.306Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Soumettre.fr plugin for WordPress is vulnerable to unauthorized access and modification of data due to a improper authorization checks on the make_signature function in all versions up to, and including, 2.1.5. This makes it possible for unauthenticated attackers to create/edit/delete Soumettre posts. This vulnerability affects only installations where the soumettre account is not connected (i.e. API key is not installed)"}, {"lang": "es", "value": "El complemento Soumettre.fr para WordPress es vulnerable al acceso y la modificaci\u00f3n de datos no autorizados debido a comprobaciones de autorizaci\u00f3n incorrectas en la funci\u00f3n make_signature en todas las versiones hasta la 2.1.5 incluida. Esto permite que atacantes no autenticados creen, editen o eliminen publicaciones de Soumettre. Esta vulnerabilidad solo afecta a las instalaciones donde la cuenta de Soumettre no est\u00e1 conectada (es decir, la clave API no est\u00e1 instalada)."}], "id": "CVE-2025-4654", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-07-02T04:15:54.673", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/soumettre-fr/tags/2.1.5/public/rest/class-soumettre-rest-route.php#L211"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4f29d476-0730-437c-8065-309523278efa?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T19:56:15.088742+00:00", "value": {"mitigation_remediation": ["Update Soumettre.fr to the latest available version where the authorization check has been fixed", "If an update cannot be applied immediately, remove or disable the plugin, or disable API key connectivity to prevent unauthorized operations", "Audit the WordPress REST API configuration to ensure that all endpoints for Soumettre posts require proper authentication before allowing creation, editing, or deletion"], "summary": {"action": "Apply patch", "impact": "Unauthorized creation, editing and deletion of Soumettre posts due to improper authorization checks"}, "threat_synthesis": {"affected_systems": "WordPress installations running Soumettre.fr version 2.1.5 or earlier, specifically when the Soumettre account is not connected via an API key.", "description_and_impact": "The Soumettre.fr plugin for WordPress contains an improper authorization check in its make_signature function, allowing an attacker to create, edit, or delete Soumettre posts without authentication. This access control failure (CWE-285) results in unauthorized manipulation of content, potentially compromising the integrity of the site and exposing sensitive information.", "risk_and_exploitability": "The vulnerability has a CVSS score of 3.7, indicating low severity. Its EPSS score is below 1%, suggesting a very low probability of exploitation in the wild. It is not listed in the CISA KEV catalog. The attack vector is inferred to be unauthenticated access via the plugin\u2019s REST API endpoints, where the lack of proper authorization allows attackers to perform post actions."}}}}, "created": "2025-07-13T21:48:04.326332+00:00", "updated": "2026-04-21T20:00:25.901492+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}