CVE-2025-1508Missing Authorization in WP Crowdfunding

CWE-862Missing AuthorizationCWE-125Out-of-bounds ReadCWE-674Uncontrolled Recursion5 documents5 sources
Severity
5.3MEDIUMNVD
EPSS
0.1%
top 65.03%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Themeum WP Crowdfunding
Timeline
PublishedMar 12
Latest updateDec 30

Description

The WP Crowdfunding plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the download_data action in all versions up to, and including, 2.1.14. This makes it possible for authenticated attackers, with subscriber-level access and above, to download all of a site's post content when WooCommerce is installed.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

CVEListV5themeum/wp_crowdfunding2.1.14

🔴Vulnerability Details

3
GHSA
ImageMagick's failure to limit the depth of SVG file reads caused a DoS attack2025-12-30
CVEList
WP Crowdfunding <= 2.1.14 - Missing Authorization to Authenticated (Subscriber+) Post Content Download2025-03-12
GHSA
GHSA-q4vj-m25p-6gfj: The WP Crowdfunding plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the download_data action in2025-03-12

📋Vendor Advisories

1
Microsoft
An out-of-bounds read flaw was found in the Linux kernel’s io_uring module in the way a user triggers the io_read() function with some special parameters. This flaw allows a local user to read some me2022-08-09
CVE-2025-1508 — Missing Authorization | cvebase