CVE-2025-57985

Vulnerability

Overview The Ultimate Watermark plugin for WordPress (versions up to and including 1.1) contains a missing authorization vulnerability. This issue stems from incorrectly configured access control security levels, allowing unauthenticated or low-privileged users to perform actions that should require higher privileges [1].

Exploitation

Attackers can exploit this broken access control by sending crafted requests to endpoints that lack proper authorization checks. The plugin does not verify user capabilities before executing sensitive functions, enabling attackers to bypass access restrictions [1].

Impact

While the vulnerability is rated as low severity (CVSS 4.3), it can be leveraged in mass-exploit campaigns targeting thousands of WordPress sites. An attacker could gain unauthorized access to plugin settings or modify watermark configurations, potentially defacing sites or stealing content [1].

Mitigation

The vendor has released version 1.1.1 to address the issue. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. The vulnerability is considered unlikely to be actively exploited, but immediate action is recommended [1].