cleantalk
Vulnerabilities and Security Researches

KiotViet Sync, CVE-2025-12676

CVE, Research URL

CVE-2025-12676

Home page URL

Security reports for KiotViet Sync

Application

KiotViet Sync

Published on
Nov 05, 2025
Research Description
The KiotViet Sync plugin for WordPress is vulnerable to authorizarion bypass in all versions up to, and including, 1.8.5. This is due to the plugin using a hardcoded password for authentication in the QueryControllerAdmin::authenticated function. This makes it possible for unauthenticated attackers to create and sync products.
Affected versions
max 1.8.5.
Status
vulnerable
Previous vulnerability researches
Post Grid for Elementor & Product Grid | PowerGrids (513b8cac04964f7c742c50353b32f41d519b21a5) , Jun 07, 2024
New vulnerability
Responsive iframe GoogleMap (CVE-2025-11813) , Nov 10, 2025
FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) (CVE-2025-11975) , Nov 10, 2025
FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) (CVE-2025-11976) , Nov 10, 2025
Flexible Refund and Return Order for WooCommerce (CVE-2025-10570) , Nov 10, 2025
Lazy Load Optimizer (CVE-2025-60074) , Nov 10, 2025