CVE-2025-67994
Awaiting Analysis Awaiting Analysis - Queue
Missing Authorization in YayCurrency Plugin Allows Unauthorized Access

Publication date: 2026-02-20

Last updated on: 2026-04-27

Assigner: Patchstack

Description
Missing Authorization vulnerability in YayCommerce YayCurrency yaycurrency allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects YayCurrency: from n/a through <= 3.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-20
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-02-20
EPSS Evaluated
2026-06-15
NVD
CVE-2025-67994
EUVD
EUVD-2025-208056
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
yaycommerce yaycurrency to 3.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-67994 is a high-priority vulnerability in the WordPress YayCurrency plugin versions up to and including 3.3. It is caused by missing authorization, which means that access control is incorrectly configured.

This flaw allows unauthenticated attackers to perform arbitrary content deletion on affected websites. In other words, attackers can delete website content such as pictures, posts, or pages without needing any privileges.

The vulnerability falls under the OWASP Top 10 category A1: Broken Access Control and has a CVSS severity score of 7.5, indicating a significant security risk with a high likelihood of exploitation.

Impact Analysis

This vulnerability can have a serious impact by allowing attackers to delete important website content such as images, posts, or pages without any authentication.

Such arbitrary content deletion can lead to loss of critical data, disruption of website services, damage to reputation, and potential loss of business or user trust.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability allows unauthenticated attackers to perform arbitrary content deletion on the WordPress YayCurrency plugin versions up to 3.3. Detection can involve monitoring for unusual deletion activities such as unexpected removal of pictures, posts, or pages on your website.'}, {'type': 'paragraph', 'content': 'Patchstack has issued mitigation rules to block attacks targeting this vulnerability, which may include detection signatures or rules that can be applied in web application firewalls or intrusion detection systems.'}, {'type': 'paragraph', 'content': "Specific commands are not provided in the available resources, but monitoring web server logs for suspicious HTTP requests targeting the YayCurrency plugin endpoints, or using Patchstack's mitigation tools, can help detect exploitation attempts."}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate and recommended mitigation step is to update the WordPress YayCurrency plugin to version 3.3.1 or later, where the vulnerability has been patched.'}, {'type': 'paragraph', 'content': 'Until the update can be applied, users should implement Patchstack mitigation rules designed to block attacks targeting this vulnerability.'}, {'type': 'paragraph', 'content': "Additionally, enabling Patchstack's automatic mitigation and auto-update features can enhance protection against exploitation."}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67994. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart