CVE-2025-48166

Vulnerability

Overview

The Stop and Block Bots (Anti Bots) WordPress plugin, versions 1.48 and earlier, suffers from a missing authorization vulnerability [1]. The plugin fails to properly enforce access control checks on certain functions, meaning that functionality that should require higher privileges is accessible without proper authentication [1]. This is categorized as a Broken Access Control issue, which can allow unprivileged users to execute actions intended for privileged roles.

Attack

Vector and Exploitation

Exploitation requires no authentication, as the vulnerability stems from an absent authorization or nonce check in a function [1]. The attack surface is the WordPress admin area or AJAX endpoints exposed by the plugin. An attacker can trigger the vulnerable functionality remotely by sending crafted requests. The CVSSv3 score is 5.3 (Medium), indicating low attack complexity and network access [1].

Impact

Successful exploitation could allow an attacker to access or execute functionality that is not properly constrained by ACLs, potentially leading to unauthorized changes to plugin settings, site configuration, or other privileged actions [1]. While the severity is rated low, such vulnerabilities are known to be used in mass-exploit campaigns targeting thousands of sites [1].

Mitigation

The vendor has released version 1.50 which resolves the vulnerability [1]. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins [1]. For those unable to update, seeking assistance from a hosting provider or web developer is recommended [1].