CVE-2025-48350

Root

Cause The AutoWP plugin for WordPress (versions up to and including 2.2.7) contains a missing authorization vulnerability. The plugin fails to perform proper access control checks on certain functions, meaning it does not verify that a user has the required permissions before executing privileged actions.

Exploitation

This is a broken access control issue, specifically a missing authorization or nonce token check [1]. An attacker does not need any authentication or special privileges; they can simply send crafted requests to the vulnerable endpoint. The lack of a nonce token means cross-site request forgery (CSRF) protections are also absent, further reducing the barrier to exploitation.

Impact

Successful exploitation allows an unprivileged (or unauthenticated) attacker to execute functions that should be restricted to higher-privileged users, such as administrators. This can lead to unauthorized content injection, settings changes, or other malicious actions. The vulnerability is known to be targeted in mass-exploit campaigns against thousands of websites [1].

Mitigation

Users must update the AutoWP plugin to the latest patched version. If updating is not possible, alternative mitigations include restricting the plugin's directory via .htaccess or contacting a security professional for assistance [1].