{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-28985", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-03-11T08:10:44.966Z", "datePublished": "2025-06-06T12:54:30.985Z", "dateUpdated": "2026-04-01T15:46:52.833Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "elastic-email-subscribe-form", "product": "Elastic Email Subscribe Form", "vendor": "Elastic Email", "versions": [{"lessThanOrEqual": "1.2.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Hiro (Code016Hiro) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:36:09.200Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Elastic Email Elastic Email Subscribe Form elastic-email-subscribe-form allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Elastic Email Subscribe Form: from n/a through <= 1.2.2.</p>"}], "value": "Missing Authorization vulnerability in Elastic Email Elastic Email Subscribe Form elastic-email-subscribe-form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Elastic Email Subscribe Form: from n/a through <= 1.2.2."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T15:46:52.833Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/elastic-email-subscribe-form/vulnerability/wordpress-elastic-email-subscribe-form-1-2-2-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Elastic Email Subscribe Form plugin <= 1.2.2 - Broken Access Control Vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-06T16:10:29.419896Z", "id": "CVE-2025-28985", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-06T16:24:17.203Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-28985", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-06T16:10:29.419896Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-06T16:10:30.479Z"}}], "cna": {"title": "WordPress Elastic Email Subscribe Form <= 1.2.2 - Broken Access Control Vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Hiro (Code016Hiro) (Patchstack Alliance)"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Elastic Email", "product": "Elastic Email Subscribe Form", "versions": [{"status": "affected", "version": "n/a", "versionType": "custom", "lessThanOrEqual": "1.2.2"}], "packageName": "elastic-email-subscribe-form", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/elastic-email-subscribe-form/vulnerability/wordpress-elastic-email-subscribe-form-1-2-2-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Elastic Email Elastic Email Subscribe Form allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Elastic Email Subscribe Form: from n/a through 1.2.2.", "supportingMedia": [{"type": "text/html", "value": "<p>Missing Authorization vulnerability in Elastic Email Elastic Email Subscribe Form allows Exploiting Incorrectly Configured Access Control Security Levels.</p><p>This issue affects Elastic Email Subscribe Form: from n/a through 1.2.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2025-06-06T12:54:30.985Z"}}}, "cveMetadata": {"cveId": "CVE-2025-28985", "state": "PUBLISHED", "dateUpdated": "2025-06-06T16:24:17.203Z", "dateReserved": "2025-03-11T08:10:44.966Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2025-06-06T12:54:30.985Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Elastic Email Elastic Email Subscribe Form elastic-email-subscribe-form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Elastic Email Subscribe Form: from n/a through <= 1.2.2."}, {"lang": "es", "value": "Vulnerabilidad de falta de autorizaci\u00f3n en Elastic Email Elastic Email Subscribe Form permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta al formulario de suscripci\u00f3n de Elastic Email desde n/d hasta la versi\u00f3n 1.2.2."}], "id": "CVE-2025-28985", "lastModified": "2026-04-01T17:19:51.480", "metrics": {}, "published": "2025-06-06T13:15:29.287", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/elastic-email-subscribe-form/vulnerability/wordpress-elastic-email-subscribe-form-1-2-2-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{}