CVE-2025-31555

Vulnerability

Description

The ContentMX Content Publisher plugin for WordPress versions up to and including 1.0.6 contains a missing authorization vulnerability (Broken Access Control). This issue arises from incorrectly configured access control security levels, where certain functions or endpoints fail to properly verify the user's privileges before granting access [1].

Exploitation

An attacker who can reach the affected plugin's administrative or privileged functions without proper authentication can exploit this flaw. The vulnerability does not require the attacker to have an existing high-privileged account; instead, it allows any user (or potentially an unauthenticated visitor) to execute actions that should be restricted to administrators or other authorized roles [1]. The attack vector is network-based and requires no special prior conditions beyond having access to the WordPress installation.

Impact

By abusing this broken access control, an unauthenticated attacker could perform actions reserved for higher-privilege roles, such as modifying plugin settings, publishing or deleting content, or accessing sensitive information. This can lead to unauthorized content manipulation or site compromise, depending on the exposed functionality [1].

Mitigation

The vulnerability has been addressed in version 1.0.7 of the plugin. Users are strongly advised to update immediately. If updating is not possible, site owners should contact their hosting provider or web developer for assistance. Patchstack users can enable auto-updates for vulnerable plugins [1].