CVE-2025-15476 MEDIUM

CVE-2025-15476: The Bucketlister <= 0.1.5 - Missing Authorization to Authenticated (Subscriber+) Bucket List Modification

Vendor Simonfairbairn
Product The Bucketlister
Weakness CWE-862 · Missing authorization
Published February 7, 2026
Last update April 8, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The The Bucketlister plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bucketlister_do_admin_ajax() function in all versions up to, and including, 0.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add delete or modify arbitrary bucket list items.

Explanation of Vulnerability in Simple Terms

02Summary

The Bucketlister through version 0.1.5 lacks proper authorization checks, allowing authenticated users to modify data they should not have access to. An attacker with a low-privilege account can change information without the application verifying their permissions. This affects the integrity of stored data but does not expose sensitive information or cause service disruption.

What an attacker can do

03Attacker Capabilities

Modify data belonging to other users or restricted areas of the application.

Potential impact on your site

04Site Impact

Data integrity is at risk; users' information may be altered by unauthorized accounts without detection.

Conditions required to exploit

05Prerequisites

Attacker must have a valid user account with low-level privileges; no user interaction required.

Key dates

06Disclosure timeline

February 7, 2026 CVE published
April 8, 2026 Record updated