CVE-2025-15476
Unauthorized Data Modification in Bucketlister WordPress Plugin
Publication date: 2026-02-07
Last updated on: 2026-02-07
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bucketlister | bucketlister | to 0.1.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Bucketlister plugin for WordPress has a vulnerability due to a missing capability check in the bucketlister_do_admin_ajax() function in all versions up to and including 0.1.5.
This flaw allows authenticated attackers with Subscriber-level access or higher to add, delete, or modify arbitrary bucket list items without proper authorization.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized modification of data within the Bucketlister plugin.
Attackers with low-level authenticated access (Subscriber-level) can manipulate bucket list items, potentially causing data integrity issues or unwanted changes on the affected WordPress site.
The CVSS score of 4.3 indicates a low to medium severity impact, primarily affecting data integrity but not confidentiality or availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know