CVE-2025-22721

Vulnerability

The ApplyOnline plugin for WordPress (versions up to and including 2.6.7.1) suffers from a missing authorization vulnerability [1]. The plugin fails to properly check access control security levels on certain backend functionality, allowing unauthorized exploitation of incorrectly configured access controls. This affects the apply-online plugin by Farhan Noor, requiring WordPress 5.0+ and PHP 7.0+ [1].

Exploitation

An attacker needs only network access to a WordPress site running the vulnerable plugin version. No authentication or special privileges are required. The attacker can send crafted requests to the vulnerable endpoint(s) to exploit the missing authorization checks, bypassing intended access restrictions [1].

Impact

Successful exploitation results in unauthorized access to plugin features that should be protected. The attacker may be able to view, modify, or delete application data, or perform other administrative actions without proper authorization. This compromises the confidentiality, integrity, and potentially availability of the plugin's data and functionality [1].

Mitigation

The vulnerability is fixed in version 2.6.8.1 of the ApplyOnline plugin, released on 2026-02-24 [1]. Users should update immediately to this version or later. If upgrading is not possible, consider removing the plugin or implementing web application firewall rules to block exploitation attempts until an update can be applied [1].