CVE-2025-50009

Vulnerability

Overview

CVE-2025-50009 is a missing authorization vulnerability in the Kata Plus plugin for WordPress, affecting all versions from n/a through 1.5.3 [1]. The plugin fails to properly enforce access control checks on certain functions, allowing attackers to exploit incorrectly configured access control security levels [1]. This broken access control issue means the absence of necessary authentication or nonce token checks in a function that should require higher privileges [1].

Attack

Vector

Attackers can exploit this vulnerability without requiring elevated privileges, as the missing authorization allows unauthenticated or low-privileged users to perform actions intended for higher-privileged users [1]. The vulnerability is particularly dangerous because it can be used in mass-exploit campaigns targeting thousands of websites regardless of their size or popularity [1]. No special network position or complex prerequisites are needed; the attack can be executed remotely.

Impact

Successful exploitation enables an attacker to bypass intended access restrictions, potentially leading to unauthorized data access or modification, privilege escalation, or other actions that compromise the site's security [1]. While classified as medium severity (CVSS v3 score 5.4), the risk is elevated due to the prevalence of automated exploit campaigns targeting this type of vulnerability [1].

Mitigation

The vendor has released version 1.5.4 which resolves the vulnerability [1]. Immediate update to Kata Plus 1.5.4 or later is strongly recommended. For users who cannot update immediately, Patchstack users can enable auto-updates for vulnerable plugins, and others should contact their hosting provider or web developer for assistance [1].