CVE-2025-58979

The BerqWP searchpro plugin for WordPress versions through 2.2.53 suffers from a Missing Authorization vulnerability (CWE-862) [1]. The plugin fails to enforce proper access control checks on certain functions, leaving security levels incorrectly configured. This means that actions which should require higher privileges are accessible without the necessary authentication or nonce token verification [1].

Exploitation does not require any privileged access or user interaction; an unauthenticated attacker can leverage this broken access control to perform actions normally reserved for higher-level users. The attack surface is the plugin's functions that lack authorization checks, making it possible to trigger them remotely via crafted requests [1].

The impact is considered low severity with a CVSS v3 base score of 5.3 (Medium) [1]. An attacker could execute unauthorized actions within the plugin's context, potentially affecting data integrity or leading to further compromise. The vulnerability is known to be used in mass-exploit campaigns, targeting thousands of WordPress sites regardless of their size or popularity [1].

Affected users should immediately update to BerqWP searchpro version 2.2.54 or later, which resolves the issue [1]. If updating is not possible, users can enable auto-updates via Patchstack or contact their hosting provider for assistance. No workarounds beyond updating have been published [1].