{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68032", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:01:03.746Z", "datePublished": "2026-02-20T15:46:36.477Z", "dateUpdated": "2026-04-28T16:14:27.001Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "advance-wc-analytics", "product": "Advanced WC Analytics", "vendor": "Passionate Brains", "versions": [{"changes": [{"at": "4.0.0", "status": "unaffected"}], "lessThanOrEqual": "3.19.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:23.060Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Passionate Brains Advanced WC Analytics advance-wc-analytics allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Advanced WC Analytics: from n/a through <= 3.19.0.</p>"}], "value": "Missing Authorization vulnerability in Passionate Brains Advanced WC Analytics advance-wc-analytics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced WC Analytics: from n/a through <= 3.19.0."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:27.001Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/advance-wc-analytics/vulnerability/wordpress-advanced-wc-analytics-plugin-3-18-0-settings-change-vulnerability?_s_id=cve"}], "title": "WordPress Advanced WC Analytics plugin <= 3.19.0 - Settings Change vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-25T19:54:42.743862Z", "id": "CVE-2025-68032", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T18:29:12.245Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-68032", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-25T19:54:42.743862Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T19:53:50.536Z"}}], "cna": {"title": "WordPress Advanced WC Analytics plugin <= 3.19.0 - Settings Change vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Passionate Brains", "product": "Advanced WC Analytics", "versions": [{"status": "affected", "changes": [{"at": "4.0.0", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "3.19.0"}], "packageName": "advance-wc-analytics", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:20:23.060Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/advance-wc-analytics/vulnerability/wordpress-advanced-wc-analytics-plugin-3-18-0-settings-change-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Passionate Brains Advanced WC Analytics advance-wc-analytics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced WC Analytics: from n/a through <= 3.19.0.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Passionate Brains Advanced WC Analytics advance-wc-analytics allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Advanced WC Analytics: from n/a through <= 3.19.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:27.001Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68032", "state": "PUBLISHED", "dateUpdated": "2026-04-28T16:14:27.001Z", "dateReserved": "2025-12-15T10:01:03.746Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-20T15:46:36.477Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Passionate Brains Advanced WC Analytics advance-wc-analytics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced WC Analytics: from n/a through <= 3.19.0."}, {"lang": "es", "value": "Vulnerabilidad de falta de autorizaci\u00f3n en Passionate Brains Advanced WC Analytics advance-wc-analytics permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Advanced WC Analytics: desde n/a hasta &lt;= 3.19.0."}], "id": "CVE-2025-68032", "lastModified": "2026-04-27T19:16:22.810", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-02-20T16:22:08.220", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/advance-wc-analytics/vulnerability/wordpress-advanced-wc-analytics-plugin-3-18-0-settings-change-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.19.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Advanced WC Analytics", "source": "cna", "vendor": "Passionate Brains"}, "product": "advanced_wc_analytics", "vendor": "passionate_brains"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T09:35:47.596054+00:00", "value": {"mitigation_remediation": ["Upgrade the Advanced WC Analytics plugin to the latest version (\u2265\u202f3.20) to incorporate the vendor fix for the missing authorization issue.", "Review and restrict WordPress user roles so that only trusted administrators have the capability required to modify Advanced WC Analytics settings.", "Audit the plugin\u2019s settings and review any recent changes; consider enabling alerts for configuration modifications to detect unauthorized activity early.", "If upgrading immediately is not possible, disable the plugin\u2019s configuration editing interface for all users below the administrator level to mitigate potential exploitation."], "summary": {"action": "Patch Update", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The affected product is Passionate Brains' Advanced WC Analytics plugin for WordPress. All releases up to and including version\u202f3.19.0 are impacted; later releases are not listed as vulnerable.", "description_and_impact": "The vulnerability is a missing authorization flaw that permits unauthorized parties to modify settings within the WordPress Advanced WC Analytics plugin. This flaw enables privileged actions such as changing analytics configuration, potentially leading to incorrect data collection or exposing sensitive information. The weakness is identified as CWE-862 (Missing Authorization) and directly undermines the integrity of the plugin\u2019s configuration data.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate severity vulnerability, while the EPSS score of less than 1\u202f% suggests a very low probability of exploitation at the time of analysis. The plugin is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker must either be authenticated to the WordPress admin interface or have exploited credential reuse or a misconfiguration that grants sufficient privileges. Once such access is gained, the attacker can modify plugin settings at will. Due to the limited exploitation window and the absence of a known public exploit, the overall risk remains moderate but should not be ignored."}}}}, "created": "2026-02-23T14:45:42.478092+00:00", "updated": "2026-04-28T09:45:28.449736+00:00", "vendors": ["passionate_brains", "passionate_brains$PRODUCT$advanced_wc_analytics", "wordpress", "wordpress$PRODUCT$wordpress"]}