CVE-2025-28994

Vulnerability

The Viral Loops WP Integration plugin for WordPress (versions 3.8.1 and earlier) contains a missing authorization vulnerability [1]. The plugin fails to properly enforce access control on certain functionality, allowing exploitation of incorrectly configured access control security levels. The vulnerability affects all users of the plugin up to and including version 3.8.1.

Exploitation

An attacker does not need authentication to exploit this vulnerability. By sending crafted HTTP requests to the affected plugin endpoints, an attacker can trigger the vulnerable code path due to missing authorization checks. The exact attack vector is not detailed in the available references, but the vulnerability class (CWE-862) indicates that the software does not perform an authorization check when an actor attempts to access a resource or perform an action.

Impact

Successful exploitation allows an attacker to bypass access controls and perform unauthorized actions within the context of the WordPress plugin. This could lead to unauthorized modification of plugin settings, access to restricted functionality, or other impacts depending on the specific missing authorization. The CVSS v3 base score of 4.3 (Medium) suggests limited impact on confidentiality, integrity, or availability.

Mitigation

As of June 2025, no patched version has been released. The vendor has not responded or issued a security update. Users should consider disabling the plugin until a fix is available, as no workaround has been published. The plugin does not appear on the CISA Known Exploited Vulnerabilities (KEV) catalog as of publication.