CRITICAL🇵🇱 Wersja polska

CVE-2025-11008

CVSS 9.8v3.1pub. 2025-11-04upd. 2026-04-15

The CE21 Suite plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.3.1 via the log file. This makes it possible for unauthenticated attackers to extract sensitive data including authentication credentials, which can be used to log in as other users as long as they have used the plugin's custom authentication feature before. This may include administrators, which makes a complete site takeover possible.

🤖 AI Analysis
How it works

The CE21 Suite plugin stores sensitive information — including login credentials of users using the plugin's custom authentication mechanism — in a log file. This file is accessible without any authentication, allowing anyone from outside to read it. The obtained authentication credentials can be directly used to log into the WordPress site as another user.

Impact

An attacker can take over accounts of any users who used the plugin's authentication function, including administrator accounts — enabling complete control over the WordPress site.

Mitigation & patch

The CE21 Suite plugin should be updated to a version newer than 2.3.1. Patches available from the vendor should be applied according to references. Additionally, it is recommended to immediately change passwords of users who used the custom authentication function of the plugin, and to check server logs for unauthorized access to the log file.

Who is affected

CE21 Suite plugin for WordPress — all versions up to 2.3.1 inclusive.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References