What the vulnerability does
01Description
Missing Authorization vulnerability in wppochipp Pochipp pochipp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Pochipp: from n/a through <= 1.18.0.
CVE-2025-66129
MEDIUM
CVE-2025-66129: WordPress Pochipp plugin <= 1.18.0 - Broken Access Control vulnerability
CVSS base score
5.3/10
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Explanation of Vulnerability in Simple Terms
02Summary
Pochipp versions up to 1.18.0 lack proper authorization checks, allowing unauthenticated attackers to modify data on the site. The vulnerability requires no user interaction and can be exploited over the network. Update to version 1.19.0 or later to resolve this issue.
What an attacker can do
03Attacker Capabilities
Modify site data without authentication.
Potential impact on your site
04Site Impact
Unauthorized users can alter site content or settings without logging in.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
December 16, 2025
CVE published
April 28, 2026
Record updated
External resources
07References
Related vulnerabilities
08Related CVE
CVE-2025-7689 Hydra Booking 1.1.0 - 1.1.18 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation via tfhb_reset_password_callback Function
CVE-2023-25714 WordPress Quick Paypal Payments plugin <= 5.7.25 - Broken Access Control vulnerability
CVE-2025-23529 WordPress Minterpress plugin <= 1.0.5 - Arbitrary Content Deletion vulnerability
CVE-2026-32440 WordPress WP Food plugin < 2.7.1 - Broken Access Control vulnerability
CVE-2025-13405 Ace Post Type Builder <= 1.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Custom Taxonomy Deletion via 'taxonomy' Parameter
