CVE-2025-49902

Vulnerability

Overview The vulnerability is a Missing Authorization issue in the WordPress plugin Login Page Customizer – Customizer Login Page, Admin Page, Custom Design (slug: customizer-login-page), versions n/a through 2.1.1. It arises from incorrectly configured access control security levels, allowing exploitation of the broken access control. [1]

Exploitation

Conditions The flaw does not require authentication, making it remotely exploitable by any unauthenticated attacker. Attackers can leverage this to perform actions that should be restricted to higher-privileged users. This type of vulnerability is commonly used in mass-exploitiate mass-exploit campaigns targeting large numbers of websites. [1]

Potential

Impact An attacker exploiting this missing authorization can access or modify plugin settings, potentially altering custom login page designs or gaining elevated privileges within the WordPress context. Although the CVSS v3 score is 6.5 (Medium), the actual risk is elevated due to the ease of exploitation and availability of public exploit details. [1]

Mitigation

The vendor has released version 2.1.2, which patches the broken access controls. Users are strongly advised to update immediately to patched version. Patchstack also offers a mitigation rule to block attacks until the plugin is updated. [1]