CVE-2025-24600

Vulnerability

Overview

The RSVPMarker plugin for WordPress versions from n/a through 11.4.5 lacks proper authorization checks in certain functions, constituting a Missing Authorization vulnerability [1]. This flaw falls under the category of broken access control, where the plugin fails to verify user privileges before executing higher-privileged actions [1].

Exploitation

Context

An attacker can exploit this vulnerability without authentication by directly accessing functions that should require elevated permissions. Due to the nature of WordPress plugin vulnerabilities, this issue is particularly concerning because it can be leveraged in mass-exploit campaigns targeting thousands of sites simultaneously, regardless of site size or popularity [1].

Impact and

Mitigation

Successful exploitation enables unprivileged users to perform actions intended for administrators or other higher-privileged roles, potentially leading to data exposure, configuration changes, or other unauthorized operations [1]. The CVSS v3 score of 5.3 (Medium) reflects this moderate but tangible risk. The vendor has addressed the issue in version 11.4.6; users are strongly advised to update immediately. For those unable to update, consulting a hosting provider or web developer is recommended [1]. Patchstack users can enable auto-updates for vulnerable plugins.