cleantalk
Vulnerabilities and Security Researches

Splitit, CVE-2025-4105

CVE, Research URL

CVE-2025-4105

Home page URL

Security reports for Splitit

Application

Splitit

Published on
May 21, 2025
Research Description
The Splitit plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on several functions in the 'splitIt-flexfields-payment-gateway.php' file in all versions up to, and including, 4.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change plugin settings, including changing the environment from sandbox to production and vice versa.
Affected versions
Min -, max 4.2.8.
Status
vulnerable
Previous vulnerability researches
Page Builder: Pagelayer – Drag and Drop website builder (CVE-2025-24573) , Jan 26, 2025
Page Builder: Pagelayer – Drag and Drop website builder (CVE-2025-1926) , Mar 10, 2025
Page Builder: Pagelayer – Drag and Drop website builder (CVE-2024-13427) , May 25, 2025
Page Builder: Pagelayer – Drag and Drop website builder (CVE-2025-4223) , May 25, 2025
Page Builder: Pagelayer – Drag and Drop website builder (CVE-2025-2104) , Mar 14, 2025
New vulnerability
Tournamatch (CVE-2025-4594) , Jun 02, 2025
WP YouTube Video Optimizer (CVE-2025-4217) , Jun 02, 2025
Relevanssi – A Better Search (CVE-2025-5016) , Jun 02, 2025
Offsprout Page Builder (CVE-2025-4672) , Jun 02, 2025
Cost of Goods Sold (COGS): Cost & Profit Calculator for WooCommerce (CVE-2025-48240) , Jun 02, 2025