CVE-2025-12676 MEDIUM

CVE-2025-12676: KiotViet Sync <= 1.8.5 - Use of Hard-coded Password to Authorization Bypass

Vendor Mykiot
Product KiotViet Sync
Weakness CWE-259
Published November 5, 2025
Last update April 8, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The KiotViet Sync plugin for WordPress is vulnerable to authorizarion bypass in all versions up to, and including, 1.8.5. This is due to the plugin using a hardcoded password for authentication in the QueryControllerAdmin::authenticated function. This makes it possible for unauthenticated attackers to create and sync products.

Explanation of Vulnerability in Simple Terms

02Summary

KiotViet Sync versions 1.8.5 and earlier contain a flaw that allows an attacker to modify data without authentication. The vulnerability requires only network access and no user interaction. An attacker can alter information processed by the application, though confidentiality and availability are not affected.

What an attacker can do

03Attacker Capabilities

Modify data or settings in the application without logging in.

Potential impact on your site

04Site Impact

Attackers can alter application data or configuration without credentials, potentially disrupting operations or data integrity.

Conditions required to exploit

05Prerequisites

Network access to the application; no authentication or user interaction required.

Key dates

06Disclosure timeline

November 5, 2025 CVE published
April 8, 2026 Record updated