CVE-2025-4654 LOW

CVE-2025-4654: Soumettre.fr <= 2.1.5 - Improper Authorization to Unauthenticated Soumettre Posts Creation/Modification/Deletion

Vendor Soumettre
Product Soumettre.fr
Weakness CWE-285
Published July 2, 2025
Last update April 8, 2026

CVSS base score

3.7/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Soumettre.fr plugin for WordPress is vulnerable to unauthorized access and modification of data due to a improper authorization checks on the make_signature function in all versions up to, and including, 2.1.5. This makes it possible for unauthenticated attackers to create/edit/delete Soumettre posts. This vulnerability affects only installations where the soumettre account is not connected (i.e. API key is not installed)

Explanation of Vulnerability in Simple Terms

02Summary

Soumettre.fr versions 2.1.5 and earlier contain an integrity vulnerability that allows an attacker to modify data in transit over the network. The vulnerability requires specific network conditions to exploit and does not affect confidentiality or availability. Users should update to a version newer than 2.1.5 when available.

What an attacker can do

03Attacker Capabilities

Modify data sent to or from the site under specific network conditions.

Potential impact on your site

04Site Impact

Data integrity cannot be guaranteed for affected versions; updates should be applied when available.

Conditions required to exploit

05Prerequisites

Network access and specific attack conditions; no authentication or user interaction required.

Key dates

06Disclosure timeline

July 2, 2025 CVE published
April 8, 2026 Record updated

Related vulnerabilities

08Related CVE