CVE-2025-12675: 
WordPress vulnerability analysis and mitigation

The KiotViet Sync plugin for WordPress contains a vulnerability (CVE-2025-12675) discovered on November 4, 2025. The vulnerability affects all versions up to and including 1.8.5, allowing unauthorized modification of data due to a missing capability check in the saveConfig() function. This security flaw impacts WordPress installations using the KiotViet Sync plugin (NVD).

The vulnerability is classified with a CVSS v3.1 Base Score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The security issue stems from a missing authorization check (CWE-862) in the saveConfig() function, which allows authenticated users with Subscriber-level access or higher to modify the plugin's configuration settings (Wordfence).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to modify the plugin's configuration settings. This unauthorized access to configuration modifications could potentially lead to security misconfigurations and compromise the integrity of the plugin's operations (NVD).

As of November 4, 2025, the plugin has been permanently closed and is no longer available for download from the WordPress plugin repository. Users are advised to remove the plugin from their WordPress installations (WordPress Plugin).