CVE-2025-47469

Vulnerability

Overview The WordPress plugin Media Hygiene, up to version 4.0.0, is affected by a Missing Authorization vulnerability (CWE-862). This flaw allows an attacker to bypass access control checks in one or more server-side functions, effectively executing actions that should require higher privilege levels. The issue stems from the plugin’s failure to properly validate nonce tokens or user capabilities before processing requests.[1]

Exploitation

Conditions An unprivileged user — or even an unauthenticated attacker, depending on the specific broken function — can trigger the vulnerable endpoints without proper authorization. No special network position or additional prerequisites are needed beyond the ability to send HTTP requests to a WordPress instance running the affected plugin. Attackers may chain this with other bugs to escalate privileges or perform unauthorized administrative operations.[1]

Impact

Successful exploitation grants an attacker the ability to perform higher-privileged actions, such as modifying plugin settings, deleting media entries, or potentially injecting malicious content. The CVSS v3 base score of 5.4 (Medium) reflects the potential for partial integrity and availability impact without direct data confidentiality loss.[1]

Mitigation

The vulnerability has been patched in version 4.0.1 of Media Hygiene. Website administrators are strongly advised to update immediately or enable auto-updates for the plugin. If updating is not immediately possible, restricting access to the plugin’s administrative functions via a Web Application Firewall (WAF) or server-level access controls can reduce risk.[1]