CVE-2025-53318

WP DB Booster, a WordPress plugin for database optimization, contains a missing authorization vulnerability in versions up to and including 1.0.1. The plugin fails to properly verify access control security levels, meaning certain functions do not enforce required permissions or nonce token checks. This broken access control issue stems from a lack of authorization checks in the plugin's code.

An attacker can exploit this flaw without needing higher-level privileges. By crafting requests to unprotected endpoints, any unauthenticated user—or a user with minimal privileges—can invoke actions that should be restricted to administrators. The vulnerability does not require authentication bypass in the traditional sense; it simply omits the authorization gate altogether.

The impact of successful exploitation includes unauthorized access to plugin settings, database operations, or other sensitive functionality. Although the CVSS v3 score is 5.4 (Medium), the vendor notes that such vulnerabilities are frequently used in mass-exploit campaigns targeting thousands of WordPress sites [1]. This raises the practical severity for unpatched installations.

Mitigation is straightforward: update WP DB Booster to version 1.0.2 or later as soon as possible [1]. If immediate updating is not feasible, users should restrict access to the plugin's pages via server-level rules or contact their hosting provider for temporary measures. No workarounds beyond updating are mentioned in the advisory.