CVE-2025-60143

Vulnerability

Overview The Netgsm WordPress plugin (netgsm) versions from n/a through 2.9.69 suffer from a Missing Authorization vulnerability [1]. This flaw stems from incorrectly configured access control security levels, meaning the plugin fails to properly verify that a user has the necessary privileges before allowing certain actions [1]. The issue is classified as a Broken Access Control vulnerability, which typically involves missing authorization, authentication, or nonce token checks in a function that could allow an unprivileged user to execute a higher-privileged action [1].

Exploitation

Context Attackers can exploit this vulnerability without requiring any special privileges, as the access control checks are missing or improperly implemented [1]. The vulnerability is noted to be used in mass-exploit campaigns, where attackers target thousands of websites simultaneously regardless of their size or popularity [1]. The CVSS v3 base score is 4.3 (Medium), reflecting the potential for unauthorized access but not full system compromise [1].

Impact and

Mitigation Successful exploitation could allow an attacker to perform actions that should be restricted to higher-privileged users, potentially leading to unauthorized data exposure or modification of sensitive data [1]. The vendor has not yet released a patched version beyond 2.9.69, so immediate action is recommended: update the plugin if a newer version becomes available, or contact your hosting provider or web developer for assistance [1].