CVE-2025-54745

The miniOrange Google Authenticator plugin for WordPress (version ≤ 6.1.1) suffers from a missing authorization vulnerability. The root cause is an incorrectly configured access control security level in the plugin, which fails to properly verify user permissions before allowing certain actions. This flaw is categorized as a broken access control issue, meaning that the plugin does not enforce appropriate authorization checks for functions that should require higher privileges [1].

Exploitation of this vulnerability does not require authentication? actually the description says it allows exploiting incorrectly configured access control security levels, and Patchstack notes it's used in mass-exploit expects it to become exploited in mass campaigns. The attack surface is exposed through the WordPress admin interface, and no special network position is needed; attackers can target thousands of websites at once. Since it's a missing authorization flaw, an unauthenticated or low-privileged user could potentially access or trigger higher-privileged actions that should be restricted [1].

The impact is moderate (CVSS 6.5) but dangerous due to mass exploit potential. An attacker could gain unauthorized access to configuration settings or other privileged operations within the plugin, potentially bypassing two-factor authentication mechanisms or altering security settings. The vulnerability is expected to be used in mass-exploit campaigns against WordPress sites regardless of size or popularity [1].

To mitigate this issue, users should update the plugin to version 6.1.2 or later, which contains the fix. For those unable to update immediately, Patchstack offers a mitigation rule that blocks attacks until the patch is applied. Hosting providers or web developers can assist with the update process [1].