CVE-2025-54739

Vulnerability

Overview CVE-2025-54739 describes a missing authorization vulnerability in the WordPress plugin Nexter Blocks (the-plus-addons-for-block-editor) versions up to and including 4.5.4. The plugin fails to properly enforce access control checks on certain functions, leading to an incorrectly configured access control security level [1].

Exploitation

An attacker can exploit this vulnerability without authentication, as the missing authorization check allows unprivileged users or even unauthenticated visitors to execute functions that should be restricted to higher-privileged roles. The attack vector does not require any special network position or user interaction, making it suitable for mass exploitation campaigns [1].

Impact

Successful exploitation could allow an attacker to perform unauthorized actions, such as modifying plugin settings or accessing sensitive data, depending on the affected functionality. The CVSS v3 base score is 5.3 (Medium), indicating moderate impact on confidentiality and integrity [1].

Mitigation

The vulnerability has been patched in Nexter Blocks version 4.5.5. Users are strongly advised to update to at least version 4.5.5 or later. For those who cannot update immediately, Patchstack recommends consulting with hosting providers or developers to implement temporary workarounds. Auto-updates can be enabled for vulnerable plugins [1].