CVE-2025-28938
No known patch is available for this vulnerability.
The affected plugin has been removed from the WordPress.org directory (reason: Security Issue), and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
The WP Performance Pack plugin for WordPress (up to 2.5.3) has a missing authorization vulnerability that could allow unauthenticated attackers to perform unauthorized actions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The WP Performance Pack plugin for WordPress (up to 2.5.3) has a missing authorization vulnerability that could allow unauthenticated attackers to perform unauthorized actions.
Vulnerability
Overview
The WP Performance Pack plugin for WordPress, versions up to and including 2.5.3, suffers from a missing authorization vulnerability. This flaw stems from incorrectly configured access control security levels, allowing functions that should require higher privileges to be executed without proper authentication or nonce checks [1].
Exploitation
An attacker can exploit this vulnerability without needing any prior authentication or elevated privileges. The missing authorization check means that any unauthenticated user can trigger actions that are normally restricted to administrators or other privileged roles. The reference notes that such vulnerabilities are commonly used in mass-exploit campaigns targeting thousands of websites [1].
Impact
Successful exploitation could allow an attacker to perform unauthorized actions within the WordPress installation, potentially leading to data modification, privilege escalation, or other malicious activities depending on the specific functions exposed. The CVSS score of 4.3 indicates a medium severity, but the ease of exploitation and potential for automated attacks increases the risk [1].
Mitigation
The vulnerability has been addressed in version 2.5.4 of the plugin. Users are strongly advised to update immediately. For those unable to update, consulting with a hosting provider or web developer is recommended. Patchstack users can enable auto-updates for vulnerable plugins to ensure timely patching [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=2.5.3
Patches
0wp-performance-packThis plugin has been removed from the WordPress.org directory on 2025-04-09 (reason: Security Issue). No patched version is being distributed through the official directory. Users who have it installed should uninstall it.
Source: api.wordpress.org · directory page
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.