CVE-2025-5812

MEDIUM 4.3

VG WORT METIS <= 2.0.0 - Missing Authorization to Authenticated (Subscriber+) Limited Settings Update

CVSS Score

4.3

EPSS Score

0.0%

EPSS Percentile

0th

The VG WORT METIS plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the gutenberg_save_post() function in all versions up to, and including, 2.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update limited post settings.

CWE	CWE-862
Vendor	vgwort
Product	vg wort metis
Published	Jun 26, 2025
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for vgwort vg wort metis

Be the first to know when new medium vulnerabilities affecting vgwort vg wort metis are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

vgwort / VG WORT METIS

0 ≤ 2.0.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/b9edcbdc-5b01-4880-95ec-57d87ccbb472?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/vgw-metis/trunk/classes/admin.php#L422 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/3334017/vgw-metis/trunk/classes/admin.php

Credits

ch4r0n