CVE-2025-47486

Vulnerability

Overview

The Responsive Plus WordPress plugin (by CyberChimps) versions n/a through 3.1.9 contain a missing authorization vulnerability in its responsive-add-ons component. This issue allows unauthenticated users to access functionality that should be properly constrained by access control lists (ACLs) [1].

Exploitation

Details

The vulnerability is categorized as a broken access control defect, meaning the plugin fails to perform adequate authorization or nonce token checks on certain functions. An attacker can exploit this by sending crafted requests to the affected endpoint without needing any authentication, enabling them to trigger actions or access features intended for higher-privileged users [1].

Impact

Successful exploitation enables an unprivileged attacker to access restricted functionality within the plugin. While the severity is rated Medium (CVSS 5.3) and the vendor describes the impact as low severity and unlikely to be exploited, mass-exploit campaigns have been observed targeting similar vulnerabilities to attack thousands of websites simultaneously [1].

Mitigation

The vulnerability is fixed in version 3.2.0 of the Responsive Plus plugin. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. If updating is not possible, contacting a hosting provider or web developer for assistance is recommended as a workaround [1].