CVE-2025-22277 HIGH

CVE-2025-22277: WordPress Vitepos plugin <= 3.1.4 - Broken Authentication vulnerability

Vendor Appsbd
Product Vitepos
Weakness CWE-288
Published April 1, 2025
Last update April 28, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Authentication Bypass Using an Alternate Path or Channel vulnerability in appsbd Vitepos vitepos-lite allows Authentication Abuse.This issue affects Vitepos: from n/a through <= 3.1.4.

Explanation of Vulnerability in Simple Terms

02Summary

Vitepos versions 3.1.4 and earlier contain an authentication bypass vulnerability that allows an attacker with low-level privileges to gain full read, write, and delete access to the system. The vulnerability stems from improper authentication validation (CWE-288) and requires only network access and valid low-privilege credentials to exploit. No user interaction is needed.

What an attacker can do

03Attacker Capabilities

Read, modify, and delete sensitive data; escalate privileges from low to full system access.

Potential impact on your site

04Site Impact

A low-privilege user can compromise the entire Vitepos installation, accessing all data and potentially disrupting service.

Conditions required to exploit

05Prerequisites

Attacker must have valid low-privilege account credentials and network access to the application.

Key dates

06Disclosure timeline

April 1, 2025 CVE published
April 28, 2026 Record updated