CVE-2025-48326

The Acclectic Media Organizer WordPress plugin, versions up to and including 1.4, contains a missing authorization vulnerability. This is a broken access control issue where the plugin fails to properly verify user permissions or nonce tokens before allowing certain functions. The root cause is the absence of appropriate access control checks in the plugin's code, enabling lower-privileged or unauthenticated users to perform actions that should be reserved for higher-privileged roles [1].

Exploitation requires no authentication and is straightforward due to the lack of authorization checks. Attackers can target this vulnerability remotely over the network. The vulnerability is considered moderately dangerous and is expected to be exploited in mass campaigns, where attackers scan for and compromise thousands of WordPress sites running the vulnerable plugin, regardless of site traffic or popularity [1].

Successful exploitation could allow attackers to perform unauthorized administrative actions, such as modifying or deleting media entries, altering plugin settings, or other actions that the plugin controls. This could lead to defacement, data loss, or further compromise of the WordPress installation. The impact is amplified by the potential for automated, widespread attacks [1].

Mitigation is available by updating the plugin to a patched version beyond 1.4. For users who cannot update immediately, it is recommended to contact their hosting provider or a web developer for assistance in applying a workaround or temporary disablement of the plugin [1].