What the vulnerability does
01Description
Missing Authorization vulnerability in Horea Radu One Page Express Companion one-page-express-companion.This issue affects One Page Express Companion: from n/a through <= 1.6.43.
CVE-2025-62052
MEDIUM
CVE-2025-62052: WordPress One Page Express Companion plugin <= 1.6.43 - Broken Access Control vulnerability
CVSS base score
4.3/10
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Explanation of Vulnerability in Simple Terms
02Summary
One Page Express Companion versions up to 1.6.43 lack proper authorization checks, allowing authenticated users to modify content they should not have access to. An attacker with a low-privilege account can alter site data without proper permission validation. The vulnerability affects the plugin's core functionality and requires an active user account to exploit.
What an attacker can do
03Attacker Capabilities
Modify site content or settings that should be restricted to higher-privilege users.
Potential impact on your site
04Site Impact
Unauthorized users can alter your site's content, potentially defacing pages or changing settings.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege user account on the site.
Key dates
06Disclosure timeline
October 22, 2025
CVE published
April 28, 2026
Record updated
External resources
07References
Related vulnerabilities
08Related CVE
CVE-2025-69381 WordPress WooCommerce Bulk Product Editor plugin <= 3.0 - Broken Access Control vulnerability
CVE-2025-4177 Flynax Bridge <= 2.2.0 - Unauthenticated Arbitrary User Deletion
CVE-2026-43580 OpenClaw < 2026.4.10 - Incomplete Navigation Guard Coverage in Browser Interactions
CVE-2024-4520 Improper Access Control in gaizhenbiao/chuanhuchatgpt
CVE-2026-22492 WordPress Docket Cache plugin <= 24.07.04 - Broken Access Control vulnerability
