CVE-2025-22647

Vulnerability

Missing Authorization vulnerability in the AIO Performance Profiler, Monitor, Optimize, Compress & Debug plugin for WordPress (all-in-one-performance-accelerator) versions from n/a through 1.2. The plugin fails to properly validate access control security levels, allowing exploitation of incorrectly configured permissions. Affected versions: all versions up to and including 1.2, as indicated in the CVE description [1].

Exploitation

An attacker with low-privilege access (e.g., subscriber-level user) can leverage the missing authorization checks to perform unauthorized actions. No authentication bypass is required beyond having a basic WordPress user account, as the plugin does not enforce proper capabilities for certain functionalities. The exact sequence of steps is not detailed in available references, but the vulnerability can be triggered by sending crafted requests to the plugin's endpoints [1].

Impact

Successful exploitation allows the attacker to escalate privileges or access protected plugin features that should be restricted to higher-level users (e.g., administrators). This can lead to information disclosure, configuration changes, or performance data leakage. The CVSS v3 base score is 4.3 (Medium), indicating limited but notable impact on confidentiality and integrity [1].

Mitigation

The vulnerability is fixed in plugin version 1.3, which was last updated on 2025-06-30. All users are strongly advised to update to version 1.3 immediately. No workarounds have been disclosed. The plugin is not listed on CISA's Known Exploited Vulnerabilities catalog as of the publication date [1].