{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25471", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:59.642Z", "datePublished": "2026-03-19T07:17:54.170Z", "dateUpdated": "2026-04-01T16:00:42.990Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "admin-safety-guard", "product": "Admin Safety Guard", "vendor": "Themepaste", "versions": [{"lessThanOrEqual": "1.2.6", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Robert Akhmerov (v31dt) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:44:01.432Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Themepaste Admin Safety Guard admin-safety-guard allows Password Recovery Exploitation.<p>This issue affects Admin Safety Guard: from n/a through <= 1.2.6.</p>"}], "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Themepaste Admin Safety Guard admin-safety-guard allows Password Recovery Exploitation.This issue affects Admin Safety Guard: from n/a through <= 1.2.6."}], "impacts": [{"capecId": "CAPEC-50", "descriptions": [{"lang": "en", "value": "Password Recovery Exploitation"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-288", "description": "Authentication Bypass Using an Alternate Path or Channel", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T16:00:42.990Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/admin-safety-guard/vulnerability/wordpress-admin-safety-guard-plugin-1-2-2-broken-authentication-vulnerability?_s_id=cve"}], "title": "WordPress Admin Safety Guard plugin <= 1.2.6 - Broken Authentication vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T13:45:07.473110Z", "id": "CVE-2026-25471", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T13:45:16.958Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25471", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-19T13:45:07.473110Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T13:45:12.604Z"}}], "cna": {"tags": ["x_open-source"], "title": "WordPress Admin Safety Guard plugin <= 1.2.6 - Broken Authentication vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Robert Akhmerov (v31dt) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-50", "descriptions": [{"lang": "en", "value": "CAPEC-50 Password Recovery Exploitation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Themepaste", "product": "Admin Safety Guard", "versions": [{"status": "affected", "version": "n/a", "versionType": "custom", "lessThanOrEqual": "1.2.6"}], "packageName": "admin-safety-guard", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/admin-safety-guard/vulnerability/wordpress-admin-safety-guard-plugin-1-2-2-broken-authentication-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Themepaste Admin Safety Guard allows Password Recovery Exploitation.This issue affects Admin Safety Guard: from n/a through 1.2.6.", "supportingMedia": [{"type": "text/html", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Themepaste Admin Safety Guard allows Password Recovery Exploitation.<p>This issue affects Admin Safety Guard: from n/a through 1.2.6.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-288", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-19T07:17:54.170Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25471", "state": "PUBLISHED", "dateUpdated": "2026-03-19T13:45:16.958Z", "dateReserved": "2026-02-02T12:53:59.642Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-19T07:17:54.170Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Themepaste Admin Safety Guard admin-safety-guard allows Password Recovery Exploitation.This issue affects Admin Safety Guard: from n/a through <= 1.2.6."}, {"lang": "es", "value": "Vulnerabilidad de omisi\u00f3n de autenticaci\u00f3n usando una ruta o canal alternativo en Themepaste Admin Safety Guard permite la explotaci\u00f3n de la recuperaci\u00f3n de contrase\u00f1a. Este problema afecta a Admin Safety Guard: desde n/a hasta 1.2.6."}], "id": "CVE-2026-25471", "lastModified": "2026-04-01T17:28:36.157", "metrics": {}, "published": "2026-03-19T08:16:19.140", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/admin-safety-guard/vulnerability/wordpress-admin-safety-guard-plugin-1-2-2-broken-authentication-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-288"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.6]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Admin Safety Guard", "source": "cna", "vendor": "Themepaste"}, "product": "admin_safety_guard", "vendor": "themepaste"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-19T08:21:01.798752+00:00", "value": {"mitigation_remediation": ["Check for and apply the latest version of the Admin Safety Guard plugin (>=1.2.7 if available).", "If an update is not yet available, disable or restrict the password recovery feature until a patch is released.", "Enforce strong, unique passwords for all administrative accounts.", "Monitor site logs for suspicious login attempts and unauthorized access."], "summary": {"action": "Apply Update", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "Affected systems include the Themepaste Admin Safety Guard WordPress plugin, versions from the earliest release through 1.2.6. Any site using one of these versions and having the plugin installed is vulnerable.", "description_and_impact": "The vulnerability is an authentication bypass via an alternate path or channel that allows attackers to exploit the password recovery function, enabling unauthorized access to the WordPress admin area. This issue is categorized as CWE-288, indicating a failure to properly authenticate users. The impact is that an attacker can gain administrative privileges without needing to know a valid password.", "risk_and_exploitability": "The CVSS score of 8.1 classifies this as high severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. Likely exploitation would occur remotely over the web interface, requiring only access to a site that has password recovery enabled. Because the flaw bypasses authentication, the potential impact ranges from single administrative account compromise to full site takeover."}}}}, "created": "2026-03-19T08:54:28.813394+00:00", "updated": "2026-03-20T14:15:43.790882+00:00", "vendors": ["themepaste", "themepaste$PRODUCT$admin_safety_guard", "wordpress", "wordpress$PRODUCT$wordpress"]}