CVE-2025-4105 Splitit <= 4.2.8 - Missing Authorization to Multiple Administrative Actions

May 21, 2025 invoker category_cve

CVE Details

Basic Information

Title CVE-2025-4105 Splitit <= 4.2.8 - Missing Authorization to Multiple Administrative Actions
Type cve
Published 2025-05-21T09:21:50
Last Seen 2025-05-21T10:19:23

CVSS Information

Base Score 5.4 (MEDIUM)
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required LOW
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact LOW
Integrity Impact LOW
Availability Impact NONE

AI Analysis

AI Description The Splitit plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks, allowing authenticated attackers with Subscriber-level access to change plugin settings, including switching between sandbox and production environments.
AI Severity Medium
Vendor Splitit
Product Splitit Plugin for WordPress
Affected Version <= 4.2.8

Additional Information

CVE List CVE-2025-4105
CWE List CWE-862
Bulletin Family cve

Description

The Splitit plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on several functions in the ‘splitIt-flexfields-payment-gateway.php’ file in all versions up to, and including, 4.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change plugin settings, including changing the environment from sandbox to production and vice versa.

CVSS Score Summary

Base Score: %!f(string=#) (MEDIUM)

View Full CVE Details

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.