CVE-2025-49349

Vulnerability

Overview The Reuters Direct plugin for WordPress (versions up to and including 3.0.0) contains a missing authorization vulnerability [1]. This means the plugin fails to properly verify whether a user has the necessary permissions before executing certain actions, leading to broken access control. The core issue is that functions lack proper authorization, authentication, or nonce token checks, allowing unprivileged users to perform actions reserved for higher-privileged roles [1].

Exploitation

Details Attackers can exploit this vulnerability without requiring authentication. By sending specifically crafted HTTP requests to affected endpoints, they can bypass access control checks. This type of vulnerability is commonly used in mass-exploit campaigns targeting thousands of WordPress sites, as it does not require prior access or special network position [1]. The attack surface is broad, affecting any site running the vulnerable plugin.

Impact

Successful exploitation allows an attacker to execute higher-privileged actions, such as modifying plugin settings, accessing sensitive data, or potentially taking over the site. Depending on the specific functionality exposed, this could lead to full site compromise or data breaches.

Mitigation

As of the publication date (2025-12-31), no official patch has been released. Users are strongly advised to update the plugin as soon as a patched version becomes available. If immediate updating is not possible, consider disabling the plugin or implementing web application firewall rules to block malicious requests. Given its inclusion in mass-exploit campaigns, prompt action is critical [1].