CVE-2025-67994
Missing Authorization in YayCurrency Plugin Allows Unauthorized Access
Publication date: 2026-02-20
Last updated on: 2026-04-27
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| yaycommerce | yaycurrency | to 3.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-67994 is a high-priority vulnerability in the WordPress YayCurrency plugin versions up to and including 3.3. It is caused by missing authorization, which means that access control is incorrectly configured.
This flaw allows unauthenticated attackers to perform arbitrary content deletion on affected websites. In other words, attackers can delete website content such as pictures, posts, or pages without needing any privileges.
The vulnerability falls under the OWASP Top 10 category A1: Broken Access Control and has a CVSS severity score of 7.5, indicating a significant security risk with a high likelihood of exploitation.
How can this vulnerability impact me? :
This vulnerability can have a serious impact by allowing attackers to delete important website content such as images, posts, or pages without any authentication.
Such arbitrary content deletion can lead to loss of critical data, disruption of website services, damage to reputation, and potential loss of business or user trust.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability allows unauthenticated attackers to perform arbitrary content deletion on the WordPress YayCurrency plugin versions up to 3.3. Detection can involve monitoring for unusual deletion activities such as unexpected removal of pictures, posts, or pages on your website.'}, {'type': 'paragraph', 'content': 'Patchstack has issued mitigation rules to block attacks targeting this vulnerability, which may include detection signatures or rules that can be applied in web application firewalls or intrusion detection systems.'}, {'type': 'paragraph', 'content': "Specific commands are not provided in the available resources, but monitoring web server logs for suspicious HTTP requests targeting the YayCurrency plugin endpoints, or using Patchstack's mitigation tools, can help detect exploitation attempts."}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate and recommended mitigation step is to update the WordPress YayCurrency plugin to version 3.3.1 or later, where the vulnerability has been patched.'}, {'type': 'paragraph', 'content': 'Until the update can be applied, users should implement Patchstack mitigation rules designed to block attacks targeting this vulnerability.'}, {'type': 'paragraph', 'content': "Additionally, enabling Patchstack's automatic mitigation and auto-update features can enhance protection against exploitation."}] [1]