CVE-2025-2816Missing Authorization in Page View Count

CWE-862Missing AuthorizationCWE-125Out-of-bounds ReadCWE-266Incorrect Privilege Assignment5 documents4 sources
Severity
8.1HIGHNVD
EPSS
0.2%
top 54.52%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
A3rev Page View Count
Timeline
PublishedMay 1

Description

The Page View Count plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the yellow_message_dontshow() function in versions 2.8.0 to 2.8.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to one on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny service to legitimate users or

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:HExploitability: 2.8 | Impact: 5.2

Affected Packages2 packages

NVDa3rev/page_view_count2.8.02.8.5
CVEListV5a3rev/page_view_count2.8.02.8.4

Patches

Patch: plugins.trac.wordpress.org

🔴Vulnerability Details

2
CVEList
Page View Count 2.8.0 - 2.8.4 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update2025-05-01
GHSA
GHSA-ghx7-9hwq-xp4w: The Page View Count plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capa2025-05-01

📋Vendor Advisories

2
Microsoft
Consul Envoy Extension Downsteam Proxy Configuration By Upstream Service Owner2023-06-13
Microsoft
Out-of-bounds Read in vim/vim2022-08-09
CVE-2025-2816 — Missing Authorization | cvebase