KiotViet Sync WordPress Plugin Authorization Bypass Vulnerability

Vulnerability

A vulnerability allowing authorization bypass has been identified in the KiotViet Sync plugin for WordPress, affecting all versions through 1.8.5. The issue arises because the plugin uses a hardcoded password for authentication in the QueryControllerAdmin::authenticated function. This vulnerability enables unauthenticated attackers to create and sync products.

Impact

Exploitation of this vulnerability allows unauthorized users to create and synchronize products on the affected WordPress site.

Added: Nov 5, 2025, 8:17 AM

Updated: Nov 5, 2025, 8:17 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

7.4

remediation

0.0

relevance

1.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

7.4

remediation

0.0

relevance

1.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

KiotViet Sync WordPress Plugin Authorization Bypass Vulnerability

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating