CVE-2025-24693

Vulnerability

The Advanced Notifications plugin for WordPress (versions up to and including 1.2.7) contains a missing authorization vulnerability. This allows exploitation of incorrectly configured access control security levels, meaning the plugin fails to properly verify user permissions before allowing access to certain administrative or privileged actions. The vulnerability affects all installations using the plugin version 1.2.7 or earlier [1].

Exploitation

An attacker can exploit this vulnerability by sending crafted HTTP requests to the WordPress site, potentially without requiring authentication or with minimal privileges. The exact attack vector is not detailed in the available references, but the missing authorization check could allow an attacker to perform actions that should be restricted to higher-privileged users, such as modifying notification settings or accessing sensitive data.

Impact

Successful exploitation could lead to unauthorized modification of plugin settings, creation or deletion of notifications, or disclosure of information. The impact is limited to the functionality of the Advanced Notifications plugin, but could be used to alter the appearance or behavior of notifications on the site, potentially affecting user experience or security.

Mitigation

The vulnerability is fixed in version 1.2.9 of the Advanced Notifications plugin, released on 2025-03-10 [1]. Users are strongly advised to update to this version or later. No workarounds are documented in the available references. If updating is not possible, consider disabling the plugin until a patch can be applied.