CVE-2025-3915
published 2025-04-26CVE-2025-3915: The Aeropage Sync for Airtable plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'aeropageDeletePost'…
PriorityP423medium4.3CVSS 3.1
AVNACLPRLUINSUCNILAN
EPSS
0.27%
18.6th percentile
The Aeropage Sync for Airtable plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'aeropageDeletePost' function in all versions up to, and including, 3.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| aeropage | aeropage_sync_for_airtable | < 3.3.0 | 3.3.0 |
| aeropage | aeropage_sync_for_airtable | <= 3.2.0 | — |
| craftcms | cms | >= 3.0.0-RC1 < 3.9.15 | 3.9.15 |
| craftcms | cms | >= 4.0.0-RC1 < 4.14.15 | 4.14.15 |
| craftcms | cms | >= 5.0.0-RC1 < 5.6.17 | 5.6.17 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-q5h6-hwf9-q8q9: The Aeropage Sync for Airtable plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'aeropageDelet
ghsa_unreviewed·2025-04-26
CVE-2025-3915 [MEDIUM] CWE-862 GHSA-q5h6-hwf9-q8q9: The Aeropage Sync for Airtable plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'aeropageDelet
The Aeropage Sync for Airtable plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'aeropageDeletePost' function in all versions up to, and including, 3.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts.
GHSA
Craft CMS Allows Remote Code Execution
ghsa·2025-04-25
CVE-2025-32432 [CRITICAL] CWE-94 Craft CMS Allows Remote Code Execution
Craft CMS Allows Remote Code Execution
### Impact
This is an additional fix for https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g
This is a high-impact, low-complexity attack vector. To mitigate the issue, users running Craft installations before the fixed versions are encouraged to update to at least that version.
### Details
https://craftcms.com/knowledge-base/craft-cms-cve-2025-32432
### References
https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47
https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical
https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical
https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical
https://sensepost.com/blog/2025/investig
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/browser/aeropage-sync-for-airtable/trunk/aeropage.php#L475https://plugins.trac.wordpress.org/browser/aeropage-sync-for-airtable/trunk/aeropage.php#L476https://plugins.trac.wordpress.org/changeset/3281904/https://www.wordfence.com/threat-intel/vulnerabilities/id/f98aab54-877b-47df-9c8a-5e70ea985c1c?source=cve
2025-04-26
Published