CVE-2025-53337

The LifePress plugin for WordPress, versions up to 2.1.3, contains a missing authorization vulnerability (broken access control). The root cause is the lack of proper nonce or capability checks in functions that perform privileged actions, allowing attackers to exploit incorrectly configured access control security levels [1].

This vulnerability can be exploited by an attacker without any authentication or special privileges. By sending specially crafted requests, an unauthenticated attacker can trigger higher-privileged actions normally restricted to administrators. The attack surface is the WordPress web interface, and no prior access to the site is required [1].

Successful exploitation allows an attacker to execute actions that should require higher permissions, such as modifying plugin settings or data. This can lead to partial loss of integrity and confidentiality, potentially enabling further attacks like site defacement or data theft [1].

The vulnerability is patched in version 2.2 and later. Users are strongly advised to update immediately. If unable to update, consider using security plugins like Patchstack that provide virtual patching or mitigation rules to block exploitation attempts [1].