CVE-2025-48155

The WordPress Residential Address Detection plugin versions from n/a through 2.5.9 lack proper authorization checks in certain functionality. This is a broken access control (BAC) vulnerability, meaning the plugin fails to verify that a user has the required privileges before executing an action [1].

An attacker with minimal privileges (e.g., subscriber or even an unauthenticated user if nonce checks are missing) can exploit this flaw by directly calling vulnerable endpoints. No special setup is needed beyond having any level of WordPress access or by sending crafted requests that bypass intended restrictions [1].

Successful exploitation allows an attacker to access functionality that should be constrained by Access Control Lists (ACLs), potentially leading to unauthorized modifications, data exposure, or other actions intended only for higher-privileged roles like administrators [1].

The plugin vendor has addressed this issue in version 2.5.10. Users are strongly advised to update immediately. For those unable to update, manual patching or contacting a hosting provider/web developer is recommended. The vulnerability is considered low severity by the vendor but could be used in mass-exploit campaigns targeting thousands of sites [1].