CVE-2025-60128

The Delisho dr-widgets-blocks plugin for WordPress, versions 1.1.3 and earlier, suffers from a missing authorization vulnerability. The root cause is an incorrectly configured access control security level, meaning that certain functions do not properly verify user permissions before executing privileged actions [1].

Attackers can exploit this flaw without needing elevated privileges, as the missing authorization check allows unprivileged users to trigger higher-privileged actions. The vulnerability can be leveraged in mass exploitation campaigns targeting thousands of websites, regardless of site size or popularity [1].

The impact is that an attacker can bypass intended access restrictions, potentially leading to unauthorized data manipulation or site compromise. The vulnerability is classified with a CVSS v3 score of 4.3 (Medium) and is considered a low-severity issue but is realistic to exploit due to the widespread use of the plugin [1].

Mitigation is straightforward: users must update to version 1.1.4 or later. Patchstack users can enable auto-updates for vulnerable plugins. If immediate update is not feasible, contacting a hosting provider or developer is recommended as a temporary measure [1].