CVE-2025-47619 MEDIUM

CVE-2025-47619: WordPress 6Storage Rentals plugin <= 2.20.2 - Broken Access Control vulnerability

Vendor 6Storage
Product 6Storage Rentals
Weakness CWE-862 · Missing authorization
Published May 23, 2025
Last update May 12, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Missing Authorization vulnerability in 6Storage 6Storage Rentals 6storage-rentals allows Path Traversal.This issue affects 6Storage Rentals: from n/a through <= 2.20.2.

Explanation of Vulnerability in Simple Terms

02Summary

6Storage Rentals versions up to 2.20.2 fail to properly check user permissions before allowing access to sensitive data. An authenticated user with low privileges can read information they should not have access to. The vulnerability does not allow modification or deletion of data, only unauthorized viewing.

What an attacker can do

03Attacker Capabilities

Read sensitive data they should not have access to.

Potential impact on your site

04Site Impact

User data may be exposed to other authenticated users with lower privilege levels.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege account on the site.

Key dates

06Disclosure timeline

May 23, 2025 CVE published
May 12, 2026 Record updated