CVE-2025-31887
No known patch is available for this vulnerability.
The affected plugin has been removed from the WordPress.org directory (reason: Security Issue), and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
MyBookProgress by Stormhill Media versions up to 1.0.8 contain a missing authorization vulnerability allowing exploitation of incorrectly configured access control security levels.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MyBookProgress by Stormhill Media versions up to 1.0.8 contain a missing authorization vulnerability allowing exploitation of incorrectly configured access control security levels.
Vulnerability
A missing authorization vulnerability exists in MyBookProgress by Stormhill Media, a WordPress plugin, affecting versions from n/a through 1.0.8 [1]. The flaw resides in the plugin's access control mechanisms, allowing exploitation of incorrectly configured security levels. This issue is classified as a Missing Authorization vulnerability [1].
Exploitation
To exploit this vulnerability, an attacker requires no special network position beyond standard WordPress user access. The lack of proper authorization checks means that an attacker with low privileges (such as a subscriber) can access restricted functionality or data without further authentication [1]. Specific steps are not detailed in the available references, but the nature of the bug suggests direct manipulation of requests or endpoints lacking capability checks.
Impact
Successful exploitation leads to information disclosure or unauthorized modification of data depending on the affected endpoints. The attacker gains the ability to bypass intended access controls, potentially viewing or altering book progress entries for other users, or other restricted actions [1]. The CIA impact is limited by the plugin's scope but could compromise user privacy and data integrity.
Mitigation
The plugin has been closed and removed from the WordPress.org plugin directory as of January 16, 2025, due to a security issue [1]. No patched version is available. Users who have the plugin installed should uninstall it immediately [1]. There is no known workaround, and the plugin is effectively end-of-life [1].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=1.0.8+ 1 more
- (no CPE)range: <=1.0.8
- (no CPE)range: <=1.0.8
Patches
0mybookprogressThis plugin has been removed from the WordPress.org directory on 2025-01-16 (reason: Security Issue). No patched version is being distributed through the official directory. Users who have it installed should uninstall it.
Source: api.wordpress.org · directory page
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.