CVE-2025-26995
Description
Missing Authorization vulnerability in Anton Vanyukov Market Exporter market-exporter allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Market Exporter: from n/a through <= 2.0.21.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Market Exporter plugin ≤2.0.21 has a missing authorization vulnerability allowing unauthenticated or low-privileged users to exploit incorrectly configured access controls.
Vulnerability
Overview
The Market Exporter plugin for WordPress, versions up to and including 2.0.21, suffers from a missing authorization vulnerability [1]. This is a type of broken access control issue where the plugin fails to properly verify that a user has the necessary permissions before allowing certain actions [1]. The root cause is the absence of adequate access control checks in one or more plugin functions, which could be exploited by attackers who have not been granted the appropriate privileges.
Exploitation
Details
Exploitation of this vulnerability does not require the attacker to have administrator-level access [1]. Because the check for authorization is missing or insufficient, an attacker with a lower-privileged account (such as a subscriber) or even an unauthenticated user may be able to trigger functions that should be restricted to higher-level roles like administrators [1]. The attack surface is the WordPress admin interface and any exposed endpoints that invoke the vulnerable functions. No special network position is required; the attack can be carried out remotely over HTTP.
Impact
If successfully exploited, an attacker could perform unauthorized actions within the affected site [1]. This could include modifying plugin settings, exporting sensitive data, or other operations that the plugin normally restricts to authorized users. The CVSS v3 score is 5.4 (Medium), indicating a moderate severity due to the potential for data exposure or limited control over the site, but not full compromise of the WordPress installation.
Mitigation
The vendor has released version 2.0.22 which addresses the missing authorization [1]. Users are strongly advised to update to this latest version immediately. If updating is not possible, administrators should consider disabling the plugin or restricting access via other means, though no specific workaround is provided beyond the update [1]. The vulnerability is listed in Patchstack's database and is considered low severity; however, it is known to be used in mass-exploit campaigns, so timely patching is recommended [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=2.0.21
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.