CVE-2025-22715

High

Published: 08 January 2026

Published

08 January 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0002 6.6th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22715 is a high-severity Missing Authorization (CWE-862) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AC-1 Policy and Procedures

addresses: CWE-862

Requiring an access control policy ensures authorization checks are defined and applied for critical functions.

AC-13 Supervision and Review — Access Control

addresses: CWE-862

Reviews of access controls detect missing authorization checks on critical functions or resources.

AC-14 Permitted Actions Without Identification or Authentication

addresses: CWE-862

Documenting permitted unauthenticated actions prevents missing authorization by making all exceptions explicit and subject to organizational review.

AC-16 Security and Privacy Attributes

addresses: CWE-862

Requiring attribute association with information prevents authorization from being performed without necessary security or privacy context.

AC-17 Remote Access

addresses: CWE-862

Mandating authorization prior to allowing remote connections addresses missing authorization for remote access.

AC-18 Wireless Access

addresses: CWE-862

Mandating authorization before wireless connections are allowed prevents missing authorization for wireless access.

AC-19 Access Control for Mobile Devices

addresses: CWE-862

The control requires authorization before allowing mobile device connections, directly mitigating missing authorization for system access.

AC-2 Account Management

addresses: CWE-862

Requiring approvals for account creation and specifying authorizations ensures authorization is not missing for system access.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1485 Data Destruction Impact

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.

attack.mitre.org →

Why these techniques?

Missing authorization in public-facing WordPress plugin directly enables remote unauthenticated exploitation (T1190) resulting in arbitrary stored content deletion that produces availability impact (T1485).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Missing Authorization vulnerability in loopus WP Attractive Donations System - Easy Stripe & Paypal donations WP_AttractiveDonationsSystem allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Attractive Donations System - Easy Stripe & Paypal donations: from n/a through <=…

1.25.

Deeper analysisAI

CVE-2025-22715 is a missing authorization vulnerability (CWE-862) in the WP Attractive Donations System - Easy Stripe & Paypal donations WordPress plugin by loopus. The flaw allows exploitation of incorrectly configured access control security levels and affects all versions of the plugin from n/a through 1.25 inclusive. Published on 2026-01-08, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to availability impact.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation enables arbitrary content deletion within the affected WordPress installation, leading to denial-of-service conditions by disrupting site functionality and potentially rendering content inaccessible.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/WP_AttractiveDonationsSystem/vulnerability/wordpress-wp-attractive-donations-system-easy-stripe-paypal-donations-plugin-1-25-arbitrary-content-deletion-vulnerability?_s_id=cve) characterizes it as an arbitrary content deletion vulnerability specifically in plugin version 1.25 and serves as a key reference for mitigation guidance.

Details

CWE(s): CWE-862

CVEs Like This One

CVE-2026-25443Shared CWE-862

CVE-2026-4365Shared CWE-862

CVE-2026-4119Shared CWE-862

CVE-2025-68547Shared CWE-862

CVE-2025-23512Shared CWE-862

CVE-2026-32817Shared CWE-862

CVE-2025-22657Shared CWE-862

CVE-2025-70150Shared CWE-862

CVE-2026-27181Shared CWE-862

CVE-2025-65669Shared CWE-862

References

https://patchstack.com/database/Wordpress/Plugin/WP_AttractiveDonationsSystem/vulnerability/wordpress-wp-attractive-donations-system-easy-stripe-paypal-donations-plugin-1-25-arbitrary-content-deletion-vulnerability?_s_id=cve
audit@patchstack.com