CVE-2025-47527

Vulnerability

Overview Icegram Collect (icegram-rainmaker), a WordPress plugin, suffers from a missing authorization vulnerability affecting versions from n/a through 1.3.18 [1]. The issue stems from incorrectly configured access control security levels, which can be exploited by attackers to perform actions normally reserved for higher-privileged users without proper authentication checks [1].

Attack

Vector and Exploitation The vulnerability falls under the broken access control category, meaning functions lack proper authorization, authentication, or nonce token verification [1]. This allows unauthenticated or low-privileged users to execute higher-privileged actions. The plugin's widespread use on thousands of websites makes it a target for mass-exploit campaigns, as noted in the advisory [1].

Impact

If exploited, an attacker could gain unauthorized access to sensitive functions, potentially leading to data exposure, modification, or other malicious outcomes. The CVSS score of 7.1 (High) reflects the moderate danger and likelihood of exploitation, with automated attack tools expected to target this vulnerability in the wild [1].

Mitigation

The vulnerability is fixed in version 1.3.19 of the Icegram Collect plugin. Users are strongly advised to update immediately. If updating is not possible, temporary mitigation rules (available via Patchstack) can block attacks until the update is applied [1].