CVE-2025-57990

CVE-2025-57990 is a missing authorization vulnerability in the Blog Designer plugin for WordPress, affecting versions through 3.1.8. The root cause is an absence of proper access control checks in certain plugin functions, allowing requests without required authentication or capability verification.

The vulnerability can be exploited by any unauthenticated or low-privileged user who can send crafted HTTP requests to the WordPress site. An attacker does not need special privileges; the missing nonce or capability check means the plugin fails to validate the user's authorization before performing sensitive actions.

Successful exploitation enables an attacker to modify blog design settings or perform other privileged operations that should be restricted to administrators. This could lead to defacement, data exposure, or further compromise of the WordPress instance. Patchstack notes these flaws are commonly used in mass-exploit campaigns targeting thousands of sites [1].

A patched version has superseded 3.1.8. Users should update the Blog Designer plugin to the latest secure version immediately. If updating is not possible, applying a Web Application Firewall rule or contacting the hosting provider for temporary mitigations is advised [1].