CVE-2025-57991

Vulnerability

Overview CVE-2025-57991 is a missing authorization vulnerability in the Clariti WordPress plugin, affecting versions from n/a through 1.2.1. The root cause is an incorrectly configured access control security level, which fails to properly enforce authorization checks for certain functions. This allows an attacker to exploit broken access control mechanisms without requiring elevated privileges.

Exploitation

Exploitation

Details from Patchstack indicate this is a broken access control issue, meaning the plugin lacks proper authorization, authentication, or nonce token checks in a function that could lead to an unprivileged user executing a higher privileged action [1].

Exploitation and

Impact An attacker can exploit this vulnerability by sending crafted requests to the vulnerable plugin endpoints, bypassing intended access restrictions. The attack does not require authentication, as the missing authorization check allows any unauthenticated user to perform actions that should be restricted to higher-privileged roles. The CVSS v3 score of 5.4 (Medium) reflects the potential for unauthorized access to sensitive functionality.

Mitigation

The vulnerability has been addressed in version 1.2.2 of the Clariti plugin. Users are strongly advised to update to this version or later. Patchstack users can enable auto-update for vulnerable plugins. For those unable to update immediately, consulting a hosting provider or web developer is recommended [1].