CVE-2025-47471

Vulnerability

Details The Envo Extra WordPress plugin (versions up to and including 1.9.9) contains a missing authorization vulnerability. The plugin fails to properly check access control security levels, meaning functions that should require higher privileges are accessible without authentication or with insufficient authorization. This is a classic broken access control issue, as described in the Patchstack advisory [1].

Exploitation

No authentication is required to exploit this flaw. An attacker can send specially crafted requests to the affected plugin endpoints, bypassing intended permission checks. This type of vulnerability is commonly targeted in mass-exploit campaigns, allowing attackers to compromise thousands of WordPress sites simultaneously [1].

Impact

Successful exploitation grants an attacker the ability to perform actions reserved for higher-privileged users, such as modifying plugin settings or other sensitive operations. The CVSS v3 score is 4.3 (Medium), reflecting a moderate impact with low exploit complexity [1].

Mitigation

The vulnerability is patched in version 1.9.10 of the Envo Extra plugin. Users are strongly advised to update immediately. Plugin auto-updates can be enabled to protect against similar issues in the future [1].