All intelligence
// vulnerability record
live · NVDCVE-2025-1508
MEDIUMpublished 2025-03-12 04:15 UTC · 1 year ago · modified 2026-06-17 08:39 UTC
5.3
CVSS / 10
// description
The WP Crowdfunding plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the download_data action in all versions up to, and including, 2.1.14. This makes it possible for authenticated attackers, with subscriber-level access and above, to download all of a site's post content when WooCommerce is installed.
// cvss 3.1 vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
// weaknesses (CWE)
- CWE-862
- CWE-862
// references (3)
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3284694%40wp-crowdfunding&new=3284694%40wp-crowdfunding&sfp_email=&sfph_mail=
- https://wordpress.org/plugins/wp-crowdfunding/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/70a93afa-9801-41d2-8923-ca4ae6ae974f?source=cve