CVE-2025-54018

Vulnerability

Overview The CM Pop-Up banners plugin for WordPress (versions through 1.8.4) contains a missing authorization vulnerability. The issue stems from incorrect access control security levels, allowing exploitation of broken access controls. This is classified as a Missing Authorization vulnerability (CWE-862). [1]

Exploitation

Method An attacker can exploit this vulnerability without authentication by sending crafted requests to the plugin. The lack of proper capability checks or nonce tokens means unprivileged users can execute actions that should require higher privileges. The vulnerability is present in all versions up to and including 1.8.4. [1]

Impact

Successful exploitation could allow an unprivileged attacker to perform unauthorized actions within the WordPress installation, such as modifying plugin settings or accessing restricted data. While the CVSS score is 4.3 (Medium), the vendor notes this is a low-severity impact and unlikely to be exploited in typical cases, though mass-exploit campaigns have been observed for similar vulnerabilities. [1]

Mitigation

The vulnerability has been patched in version 1.8.5. Users are strongly advised to update immediately. For Patchstack users, auto-updates can be enabled for vulnerable plugins. If updating is not possible, consulting with a hosting provider or web developer is recommended. [1]