CVE-2025-4105: 
WordPress vulnerability analysis and mitigation

The Splitit plugin for WordPress contains a vulnerability (CVE-2025-4105) discovered on May 21, 2025. The vulnerability affects all versions up to and including 4.2.8 of the Splitit plugin and is related to unauthorized modification of data due to missing capability checks in the 'splitIt-flexfields-payment-gateway.php' file (NVD).

The vulnerability stems from missing capability checks on several functions in the 'splitIt-flexfields-payment-gateway.php' file. This security flaw allows authenticated attackers with Subscriber-level access or higher to modify plugin settings, including the ability to switch the environment between sandbox and production modes. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N, and is classified as CWE-862 (Missing Authorization) (NVD).

The vulnerability allows authenticated attackers to modify plugin settings without proper authorization. This could lead to unauthorized changes in the plugin's configuration, particularly concerning the environment settings between sandbox and production modes, which could potentially impact payment processing and system security (NVD).