CVE-2025-39535 HIGH

CVE-2025-39535: WordPress Vitepos plugin <= 3.1.7 - Broken Authentication Vulnerability

Vendor Appsbd
Product Vitepos
Weakness CWE-288
Published April 17, 2025
Last update April 28, 2026

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Authentication Bypass Using an Alternate Path or Channel vulnerability in appsbd Vitepos vitepos-lite allows Authentication Abuse.This issue affects Vitepos: from n/a through <= 3.1.7.

Explanation of Vulnerability in Simple Terms

02Summary

Vitepos versions 3.1.7 and earlier contain an authentication bypass vulnerability affecting high-privilege users. An authenticated administrator can read sensitive data, modify system settings, and disrupt service availability. The vulnerability requires valid admin credentials and network access to the application.

What an attacker can do

03Attacker Capabilities

Read sensitive data, modify system settings, and disrupt service availability if they have admin credentials.

Potential impact on your site

04Site Impact

Administrators with compromised credentials can cause data breaches, configuration tampering, and service outages.

Conditions required to exploit

05Prerequisites

Valid administrator account and network access to the Vitepos application.

Key dates

06Disclosure timeline

April 17, 2025 CVE published
April 28, 2026 Record updated