CVE-2025-46470
No known patch is available for this vulnerability.
The affected plugin has been removed from the WordPress.org directory (reason: Security Issue), and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
The Smart Hashtags [#hashtagger] WordPress plugin <=7.2.3 has a missing authorization vulnerability allowing unauthenticated attackers to exploit incorrectly configured access controls.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Smart Hashtags [#hashtagger] WordPress plugin <=7.2.3 has a missing authorization vulnerability allowing unauthenticated attackers to exploit incorrectly configured access controls.
Vulnerability
Overview The Smart Hashtags [#hashtagger] plugin for WordPress (versions up to and including 7.2.3) suffers from a missing authorization vulnerability. This broken access control issue means that certain functions within the plugin do not properly verify user permissions or nonce tokens, allowing unauthorized actions to be performed.
Exploitation
An attacker can exploit this vulnerability without requiring any authentication. By sending crafted HTTP requests to vulnerable endpoints, an unprivileged user can trigger actions that should be restricted to higher-privileged roles. This type of vulnerability is commonly targeted in mass-exploit campaigns, as noted in the advisory [1].
Impact
Successful exploitation could allow an attacker to modify plugin settings, access sensitive data, or perform other unauthorized operations. The CVSS score of 4.3 (Medium) reflects the potential for partial compromise of the affected site.
Mitigation
The vendor has released a fix; users are strongly advised to update the plugin to the latest version immediately. If updating is not possible, consulting with a hosting provider or web developer for alternative protections is recommended [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=7.2.3
Patches
0hashtaggerThis plugin has been removed from the WordPress.org directory on 2025-04-23 (reason: Security Issue). No patched version is being distributed through the official directory. Users who have it installed should uninstall it.
Source: api.wordpress.org · directory page
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.