CVE-2025-23512

High

Published: 22 January 2025

Published

22 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0029 52.8th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Missing Authorization vulnerability in 118group Team 118GROUP Agent team-118group-agent allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Team 118GROUP Agent: from n/a through <= 1.6.0.

Security Summary

CVE-2025-23512 is a missing authorization vulnerability (CWE-862) in the Team 118GROUP Agent WordPress plugin (team-118group-agent). It allows exploitation of incorrectly configured access control security levels, enabling arbitrary content deletion. The issue affects all versions of the plugin from n/a through 1.6.0 and was published on 2025-01-22.

Unauthenticated remote attackers with network access can exploit this vulnerability with low attack complexity and no user interaction. Exploitation leads to high availability impact (A:H) with no confidentiality or integrity effects, as reflected in its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Attackers can delete arbitrary content on affected WordPress sites.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/team-118group-agent/vulnerability/wordpress-team-118group-agent-plugin-1-6-0-arbitrary-content-deletion-vulnerability?_s_id=cve) documents this arbitrary content deletion vulnerability in plugin version 1.6.0. Security practitioners should consult the advisory for recommended mitigations.

Details

CWE(s): CWE-862

References

https://patchstack.com/database/Wordpress/Plugin/team-118group-agent/vulnerability/wordpress-team-118group-agent-plugin-1-6-0-arbitrary-content-deletion-vulnerability?_s_id=cve
audit@patchstack.com