CVE-2025-6003 PUBLISHED

WordPress Single Sign-On (SSO) - Multiple Versions - Incorrect Authorization to Sensitive Information Exposure

Assigner: Wordfence
Reserved: 11.06.2025 Published: 12.06.2025 Updated: 12.06.2025

The WordPress Single Sign-On (SSO) plugin for WordPress is vulnerable to unauthorized access due to a misconfigured capability check on a function in all versions up to, and including, the *.5.3 versions of the plugin. This makes it possible for unauthenticated attackers to extract sensitive data including site content that has been restricted to certain users and/or roles.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS Score: 5.3

Product Status

Vendor cyberlord92
Product WordPress Single Sign-On (SSO) - Single Site Standard
Versions Default: unaffected
  • affected from * to 18.5.3 (incl.)
Vendor cyberlord92
Product WordPress Single Sign-On (SSO) - Single Site Premium
Versions Default: unaffected
  • affected from * to 28.5.3 (incl.)
Vendor cyberlord92
Product WordPress Single Sign-On (SSO) - Multisite Premium
Versions Default: unaffected
  • affected from * to 30.5.3 (incl.)
Vendor cyberlord92
Product WordPress Single Sign-On (SSO) - Single Site Enterprise
Versions Default: unaffected
  • affected from * to 38.5.3 (incl.)
Vendor cyberlord92
Product WordPress Single Sign-On (SSO) - Multisite Enterprise
Versions Default: unaffected
  • affected from * to 40.5.3 (incl.)
Vendor cyberlord92
Product WordPress Single Sign-On (SSO) - Single Site All-Inclusive
Versions Default: unaffected
  • affected from * to 48.5.3 (incl.)
Vendor cyberlord92
Product WordPress Single Sign-On (SSO) - Multisite All-Inclusive
Versions Default: unaffected
  • affected from * to 50.5.3 (incl.)

Credits

  • Israël Hallé finder

References

Problem Types

  • CWE-863 Incorrect Authorization CWE