CVE-2025-0954 MEDIUM

CVE-2025-0954: WP Online Contract <= 5.1.4 - Missing Authorization to Unauthenticated Settings Import

Vendor Futuredesigngrp
Product WP Online Contract
Weakness CWE-862 · Missing authorization
Published March 5, 2025
Last update April 8, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

The WP Online Contract plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the json_import() and json_export() functions in all versions up to, and including, 5.1.4. This makes it possible for unauthenticated attackers to import and export the plugin's settings.

Key dates

02Disclosure timeline

March 5, 2025 CVE published
April 8, 2026 Record updated