CVE-2025-12676

Medium CVSS: 5.3

The KiotViet Sync plugin for WordPress is vulnerable to authorizarion bypass in all versions up to, and including, 1.8.5. This is due to the plugin using a hardcoded password for authentication in the QueryControllerAdmin::authenticated function. This makes it possible for unauthenticated attackers to create and sync products.

Vendor

Product

CWE

CWE-259

Yayın Tarihi

2025-11-05 08:15:33

Güncelleme

2025-11-06 19:45:30

Source Identifier

security@wordfence.com

KEV Date Added

Kategoriler

CWE-259 MEDIUM 2025

Referanslar

https://wordpress.org/plugins/kiotvietsync/ https://www.wordfence.com/threat-intel/vulnerabilities/id/a2d7165b-1290-4032-8fbc-75ec1ab34a08?source=cve