CVE-2025-39368

The Rootspersona plugin for WordPress suffers from a missing authorization vulnerability (CVE-2025-39368) in versions up to and including 3.7.5. The plugin fails to properly verify user capabilities or nonce tokens in certain functions, leading to broken access control. This flaw allows unauthenticated attackers to bypass intended security restrictions [1].

Exploitation requires no authentication or special network position; an attacker can send crafted HTTP requests to the vulnerable endpoints. The missing authorization check enables actions that should be reserved for higher-privileged users, such as administrators. The advisory notes that this type of vulnerability is actively used in mass-exploit campaigns targeting thousands of websites [1].

Successful exploitation can allow an attacker to perform unauthorized actions, potentially including modifying plugin settings, accessing sensitive data, or escalating privileges. This could lead to full site compromise if combined with other vulnerabilities. The CVSS score of 5.3 reflects the medium severity due to the lack of authentication requirements and potential for widespread abuse [1].

As a mitigation, users are strongly advised to update the plugin to the latest patched version immediately. If an update is not available, contacting the hosting provider or a web developer for assistance is recommended. No workarounds are detailed in the advisory, making the update the primary remediation [1].