CVE-2025-49979

Vulnerability

Description

The Media Hygiene plugin for WordPress, versions up to and including 4.0.1, contains a missing authorization vulnerability (CWE-862). This is a broken access control issue where the software fails to perform proper authorization checks for functions that should require higher privileges. This allows unprivileged users to execute certain actions that are restricted to higher-level roles [1].

Exploitation

Conditions

An attacker must be authenticated with a low-privileged WordPress account (e.g., subscriber or contributor) to exploit this vulnerability. No special network position or additional privileges are needed. The attack surface is limited to functions that lack the required capability checks or nonce token validation [1].

Impact

Successful exploitation enables an authenticated user to perform actions that should require higher privileges, such as administrative functions. This could lead to unauthorized modification of site settings or data. The CVSS v3 base score is 4.3 (Medium), indicating a moderate severity [1].

Mitigation

Status

The vulnerability has been patched in version 4.0.2. Users are strongly recommended to update immediately. For those unable to update, contacting the hosting provider or web developer for assistance is advised [1].

References

[1] Patchstack - Broken Access Control in WordPress Media Hygiene Plugin, https://patchstack.com/database/Wordpress/Plugin/media-hygiene/vulnerability/wordpress-media-hygiene-plugin-4-0-1-broken-access-control-vulnerability?_s_id=cve