CVE-2025-1504 MEDIUM

CVE-2025-1504: Post Lockdown <= 4.0.2 - Missing Authorization to Authenticated (Subscriber+) Post Disclosure

Vendor Andyexeter

Product Post Lockdown

Weakness CWE-862 · Missing authorization

Published March 8, 2025

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

4.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The Post Lockdown plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.0.2 via the 'pl_autocomplete' AJAX action due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract data from password protected, private, or draft posts that they should not have access to.

Key dates

02Disclosure timeline

March 8, 2025 CVE published

April 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-1504 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities

04Related CVE

CVE-2026-1748 Invoct – PDF Invoices & Billing for WooCommerce <= 1.6 - Missing Authorization to Authenticated (Subscriber+) Information Exposure CVE-2024-54402 WordPress Arabic Webfonts plugin <= 1.4.6 - Broken Access Control vulnerability CVE-2026-45667 Open WebUI: Unauthenticated endpoint can trigger embedding generation (cost/DoS) CVE-2025-30866 WordPress Terms & Conditions Per Product plugin <= 1.2.15 - Broken Access Control Vulnerability CVE-2025-58016 WordPress CF7 Submissions Plugin <= 0.26 - Broken Access Control Vulnerability