CVE-2025-28995

Vulnerability

The Viral Loops WP Integration plugin for WordPress versions up to and including 3.8.1 contains a missing authorization vulnerability. This flaw arises from incorrectly configured access control security levels, allowing certain actions or endpoints to be reachable without proper permission checks [1]. The vulnerability affects all installations using the plugin version 3.8.1 and earlier.

Exploitation

An attacker with network access to the WordPress site can exploit this vulnerability by sending crafted HTTP requests to unauthenticated or improperly secured endpoints within the plugin. No prior authentication or special privileges are required, as the missing authorization check fails to verify user capabilities before executing sensitive operations. The exact mechanism depends on the unprotected functionality, but the attacker can trigger the vulnerable code path directly.

Impact

Successful exploitation allows an attacker to perform actions that should be restricted, such as modifying plugin settings, accessing confidential campaign data, or interfering with the integration’s operations. The impact is moderate (CVSS 5.3) and typically leads to information disclosure or unauthorized configuration changes, without full site compromise in most scenarios.

Mitigation

As of the publication date (2025-06-06), no patched version has been released. The plugin is available on the WordPress plugin repository, and users are advised to disable the plugin until a security update is provided [1]. Monitor the plugin page for version 3.9 or later that addresses this issue. No workarounds have been disclosed in the available references.