CVE-2025-31525

Vulnerability

The WP Mobile Bottom Menu plugin for WordPress (mobile-bottom-menu-for-wp) versions up to and including 1.4.0 contain a missing authorization vulnerability. This allows exploitation of incorrectly configured access control security levels. The plugin is designed to provide a bottom navigation menu for mobile users. The vulnerability exists in the access control mechanisms, where proper authorization checks are missing for certain functionality. Affected versions: from n/a through 1.4.0. [1]

Exploitation

An attacker does not require any special privileges or authentication to exploit this vulnerability. The missing authorization allows an unauthenticated user to access or modify settings or data that should be restricted. The exact exploitation steps are not detailed in the available references, but the vulnerability type indicates that an attacker can leverage the incorrectly configured access controls to perform actions beyond their intended permissions. [1]

Impact

Successful exploitation could lead to unauthorized access to plugin settings or data, potentially allowing an attacker to modify the mobile menu configuration, inject malicious content, or escalate privileges. The CVSS score of 4.3 (Medium) indicates a moderate impact on confidentiality and integrity. The scope of compromise is limited to the plugin's functionality, but could affect the overall site if the menu is used for critical navigation. [1]

Mitigation

The vulnerability is fixed in version 1.4.6, which was last updated on 2026-03-02. Users are strongly advised to update to the latest version. No workarounds are mentioned in the available references. The plugin is actively maintained, and the update should be applied via the WordPress plugin dashboard. [1]