CVE-2025-31540

Vulnerability

Overview The ACME Divi Modules WordPress plugin (versions up to and including 1.3.5) contains a missing authorization vulnerability [1]. This is a classic broken access control issue, where the plugin fails to properly verify permissions or nonce tokens for certain functions, effectively missing an authorization check [1]. The vulnerability allows exploiting incorrectly configured access control security levels.

Exploitation

Details Attackers can exploit this vulnerability without needing any authentication, as the flaw stems from missing authorization checks rather than weak credentials [1]. The plugin is installed on WordPress sites, and the attack surface is the public-facing web interface. No special network position or prior access is required. The vulnerability is considered suitable for mass-exploit campaigns, enabling attackers to target thousands of websites simultaneously [1].

Impact

Successful exploitation allows an unprivileged user (or completely unauthenticated attacker) to perform higher-privileged actions that should be restricted [1]. This can range from viewing sensitive data to modifying site configurations or content, depending on the specific functions lacking authorization. The CVSS v3 base score is 4.3 (Medium), reflecting the lower complexity but potential for widespread harm [1].

Mitigation

The vendor has not yet released a patched version, as the advisory was published on March 31, 2025 [1]. Immediate recommended action is to update the plugin once a fix becomes available. If updating is not possible, site owners should consult with their hosting provider or web developer to implement workarounds, such as disabling the plugin or applying access control rules [1].