CVE-2025-4654: 
WordPress vulnerability analysis and mitigation

The Soumettre.fr plugin for WordPress (CVE-2025-4654) contains a vulnerability related to unauthorized access and modification of data, discovered and disclosed in July 2025. The vulnerability affects all versions up to and including 2.1.5 of the plugin, specifically impacting installations where the soumettre account is not connected (i.e., API key is not installed) (NVD, CVE).

The vulnerability stems from improper authorization checks in the make_signature function, which allows unauthenticated attackers to bypass security controls. The vulnerability has been assigned a CVSS v3.1 base score of 3.7 (LOW) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N. The issue has been classified under CWE-285 (Improper Authorization) (NVD).

When exploited, this vulnerability allows unauthenticated attackers to create, edit, or delete Soumettre posts on affected WordPress installations. The impact is limited to installations where the soumettre account is not connected with an API key (NVD).

Users should ensure their Soumettre.fr plugin is properly configured with an API key installed. The vulnerability can be mitigated by connecting the soumettre account and installing the API key (NVD).