Security Alert Summary
The The Bucketlister plugin for WordPress contains a missing capability check in the bucketlister_do_admin_ajax() function in all versions up to and including 0.1.5. This allows authenticated users with Subscriber-level access or higher to add, delete, or modify bucket list items via the affected administrative AJAX endpoint.
CVE Details
- CVE ID: CVE-2025-15476
- Affected plugin/component: The Bucketlister plugin for WordPress
- Affected versions: All versions up to and including 0.1.5
- Published: February 7, 2026 at 9:15 AM UTC
- Last modified: February 7, 2026 at 9:15 AM UTC
- CVSS v3.1: Base Score 4.3, Severity MEDIUM
- Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
- Attack Vector: NETWORK
- Attack Complexity: LOW
- Privileges Required: LOW (authenticated user such as Subscriber-level)
- User Interaction: NONE
- Scope: UNCHANGED
- Confidentiality Impact: NONE
- Integrity Impact: LOW
- Availability Impact: NONE
- Authentication / Privileges: Authentication required; attackers must be authenticated with at least Subscriber-level privileges (per the CVE description).
- CWE / Weakness: CWE-862 (Missing Authentication for Critical Function)
Technical Details
The vulnerability is caused by a missing capability check in the bucketlister_do_admin_ajax() function. Because this administrative AJAX handler does not verify that the caller has the required capabilities, authenticated users with low-level privileges (Subscriber and above) can invoke the handler to add, delete, or modify arbitrary bucket list items. The CVE description identifies the absence of the capability check as the root cause.
The impact is limited to modification of bucket list items (integrity impact). There is no indication in the CVE entry of data disclosure or availability impact. No further functions, endpoints, or exploit details are specified in the CVE beyond the named AJAX handler.
How This Could Impact Your Website
In a typical WordPress site with multiple users, the following realistic scenario illustrates the impact:
- The site owner or administrator installs The Bucketlister plugin and assigns roles to internal staff and external contributors.
- An authenticated user with Subscriber-level access (for example, a registered contributor or an external contractor given a low-level account) could use the vulnerable AJAX handler to add, remove, or change bucket list items without administrator approval.
- Practical consequences include altered or missing list items, misleading content presented to site visitors, disruption of internal task lists or public lists managed through the plugin, and additional administrative effort to detect and correct unauthorized changes.
The CVSS data indicates integrity impact only (no confidentiality or availability impact). If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available. (The CVE entry does not specify a fixed version.)
- Review and reduce unnecessary user roles and privileges, especially accounts with Contributor or higher privileges.
- Enforce strong passwords and enable two-factor authentication for Editors and Administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and plugin logs for unusual behavior or unexpected changes to content managed by the plugin.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.