CVE-2025-22722

Vulnerability

The Widget Options plugin for WordPress (widget-options) contains a missing authorization vulnerability in versions from n/a through 4.0.8 [1]. This flaw allows exploitation of incorrectly configured access control security levels, meaning the plugin fails to properly verify user permissions before granting access to certain functionality.

Exploitation

An attacker with network access to the WordPress site can exploit this vulnerability by sending crafted requests to the plugin's endpoints that lack proper authorization checks. No authentication is required, as the missing check allows unauthenticated users to trigger the vulnerable code path.

Impact

Successful exploitation enables an attacker to bypass access controls and potentially view or modify widget options, leading to unauthorized information disclosure or alteration of widget settings. The CVSS v3 score of 4.3 indicates a medium severity, with limited but tangible impact on confidentiality and integrity.

Mitigation

The vendor has not explicitly disclosed a fixed version in the available reference [1]. However, the plugin's current version is 4.2.4, which likely includes a patch for this vulnerability. Users are strongly advised to update to the latest version and ensure all access control configurations are properly reviewed.