CVE-2025-24691
Description
Missing authorization in People Lists plugin for WordPress allows arbitrary access to user profile data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing authorization in People Lists plugin for WordPress allows arbitrary access to user profile data.
Vulnerability
The People Lists plugin for WordPress (versions n/a through 1.3.10) contains a missing authorization vulnerability in its access control security levels. This issue allows exploitation of incorrectly configured access control, potentially enabling unauthorized users to access or modify user profile data managed by the plugin.
Exploitation
An attacker does not require authentication to exploit this vulnerability. The plugin fails to properly verify user permissions on certain endpoints or actions, allowing an attacker to send crafted requests to access or alter profile information stored in the [people-lists list=...] shortcode template or custom fields.
Impact
Successful exploitation could lead to unauthorized disclosure or modification of user profile data, including custom fields added by the plugin and thumbnail images. This poses a risk to user privacy and data integrity.
Mitigation
The vendor has released version 2.0.0 as a fix, published on 2025-01-13 [1]. All users should update to version 2.0.0 or later immediately. No workarounds are provided in the available references.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=1.3.10+ 1 more
- (no CPE)range: <=1.3.10
- (no CPE)range: <=1.3.10
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.