CVE-2025-60088

Vulnerability

Overview The vulnerability is a Missing Authorization issue in the WebinarIgnition plugin by Saleswonder Team (Tobias). It affects versions from n/a through 4.06.04. The root cause is an incorrectly configured access control security level, meaning that certain functions do not properly enforce authorization, authentication, or nonce token checks [1].

Exploitation

This broken access control vulnerability can be exploited by unauthenticated or low-privilege attackers to perform higher-privileged actions without proper authorization. The attack surface is broad, as the plugin is used on thousands of WordPress websites, and the vulnerability is expected to be used in mass-exploit campaigns [1]. No special prerequisites beyond network access to the site are mentioned.

Impact

Successful exploitation allows an attacker to bypass access control restrictions and execute actions normally reserved for higher-privileged users. The CVSS v3 score is 6.5 (Medium), reflecting the moderate potential for harm [1].

Mitigation

The vendor has released version 4.06.05 which patches the vulnerability. Users are strongly advised to update immediately. For those unable to update, implementing a mitigation rule (such as those provided by Patchstack) can block attacks until the update is applied [1].