CVE-2025-49991

The WP-Recall plugin for WordPress suffers from a missing authorization vulnerability in versions from n/a through 16.26.14. This flaw allows attackers to access functionality that should be constrained by Access Control Lists (ACLs), effectively bypassing access controls [1].

Exploitation does not require authentication, as the missing authorization check means any unauthenticated user can trigger the vulnerable functions. The attack surface is broad because the plugin is widely used, and the vulnerability can be exploited remotely over HTTP. No special network position is needed; an attacker only needs to send crafted requests to the WordPress site [1].

The impact is that an attacker can access restricted functionality, potentially leading to unauthorized actions such as viewing sensitive data, modifying settings, or performing other privileged operations. The CVSS score of 5.3 (Medium) reflects the potential for partial compromise without authentication [1].

As of the publication date, no patch has been released; users are advised to update the plugin if a fix becomes available. Given that such vulnerabilities are used in mass-exploit campaigns, immediate action is recommended, such as disabling the plugin or applying a web application firewall rule [1].