CVE-2025-54005

Vulnerability

Overview

CVE-2025-54005 is a missing authorization vulnerability in the WordPress plugin SKT Page Builder (skt-builder), affecting all versions from n/a through 4.9 [1]. The plugin fails to properly enforce access control checks in certain functions, leading to broken access control that can be exploited by attackers [1].

Attack

Vector and Exploitation

This vulnerability allows an unprivileged attacker to execute actions that should require higher privileges, such as administrative capabilities, without proper authentication or nonce validation [1]. The attack surface is the plugin's frontend or exposed endpoints, requiring no prior authentication. The issue is classified as a broken access control flaw, typically exploited in mass campaigns targeting thousands of WordPress sites simultaneously [1].

Impact

Successful exploitation could allow an attacker to perform unauthorized actions like modifying content, changing settings, or escalating privileges depending on the specific vulnerable function. The vulnerability has a CVSS v3 score of 4.3 (Medium) and is considered low severity, though it contributes to large-scale attacks when combined with automation [1].

Mitigation

The vendor has released version 5.0 which resolves the issue. Users are strongly advised to update the SKT Page Builder plugin to version 5.0 or later immediately. Patchstack users can enable auto-updates for vulnerable plugins to protect their sites [1].