{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25437", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:40.963Z", "datePublished": "2026-03-25T16:14:49.711Z", "dateUpdated": "2026-03-26T16:40:30.808Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "gzseo", "product": "GZSEO", "vendor": "\u0633\u06cc\u062f \u0645\u062d\u0645\u062f\u0627\u0645\u06cc\u0646 \u0647\u0627\u0634\u0645\u06cc", "versions": [{"lessThanOrEqual": "<= 2.0.14", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:28.371Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in \u0633\u06cc\u062f \u0645\u062d\u0645\u062f\u0627\u0645\u06cc\u0646 \u0647\u0627\u0634\u0645\u06cc GZSEO gzseo allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects GZSEO: from n/a through <= 2.0.14.</p>"}], "value": "Missing Authorization vulnerability in \u0633\u06cc\u062f \u0645\u062d\u0645\u062f\u0627\u0645\u06cc\u0646 \u0647\u0627\u0634\u0645\u06cc GZSEO gzseo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GZSEO: from n/a through <= 2.0.14."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:49.711Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/gzseo/vulnerability/wordpress-gzseo-plugin-2-0-11-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress GZSEO plugin <= 2.0.14 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-25437", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T16:32:00.791259Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T16:40:30.808Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in \u0633\u06cc\u062f \u0645\u062d\u0645\u062f\u0627\u0645\u06cc\u0646 \u0647\u0627\u0634\u0645\u06cc GZSEO gzseo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GZSEO: from n/a through <= 2.0.14."}], "id": "CVE-2026-25437", "lastModified": "2026-03-25T17:16:50.860", "metrics": {}, "published": "2026-03-25T17:16:50.860", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/gzseo/vulnerability/wordpress-gzseo-plugin-2-0-11-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.14]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "GZSEO", "source": "cna", "vendor": "\u0633\u06cc\u062f \u0645\u062d\u0645\u062f\u0627\u0645\u06cc\u0646 \u0647\u0627\u0634\u0645\u06cc"}, "product": "gzseo", "vendor": "\u0633\u06cc\u062f_\u0645\u062d\u0645\u062f\u0627\u0645\u06cc\u0646_\u0647\u0627\u0634\u0645\u06cc"}], "analysis": {"en": {"generated_at": "2026-03-25T18:52:05.103095+00:00", "value": {"mitigation_remediation": ["Upgrade to a version newer than 2.0.14 if one is available from the vendor.", "If an update is not available, disable the GZSEO plugin to eliminate the risk until an official fix is released.", "Verify that no residual URLs or API endpoints related to GZSEO remain accessible in your WordPress installation."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the GZSEO plugin, the WordPress plugin developed by \u0633\u06cc\u062f \u0645\u062d\u0645\u062f\u0627\u0645\u06cc\u0646 \u0647\u0627\u0634\u0645\u06cc. All released versions up to and including 2.0.14 are susceptible.", "description_and_impact": "The vulnerability is a missing authorization flaw in the GZSEO plugin, enabling unauthorized users to perform restricted actions. The flaw permits attackers to access data or functionality intended for privileged users, representing a classic CWE\u2011862 Incorrect Authorization issue.", "risk_and_exploitability": "The CVSS score is not provided, but based on the description, the risk level is moderate to high because the flaw allows elevation of privilege or unauthorized data exposure. Since EPSS is not available and the issue is not listed in KEV, there is no publicly confirmed exploit. The attack likely requires interaction with the plugin\u2019s endpoints, possibly via typical WordPress admin or front\u2011end URLs, and may benefit from a pre\u2011authenticated user with limited privileges. The attacker could thus access or modify content without proper authorization."}}}}, "created": "2026-03-25T21:44:27.987440+00:00", "updated": "2026-03-26T11:38:23.550979+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "\u0633\u06cc\u062f_\u0645\u062d\u0645\u062f\u0627\u0645\u06cc\u0646_\u0647\u0627\u0634\u0645\u06cc", "\u0633\u06cc\u062f_\u0645\u062d\u0645\u062f\u0627\u0645\u06cc\u0646_\u0647\u0627\u0634\u0645\u06cc$PRODUCT$gzseo"]}