CVE-2025-60155

Vulnerability

Overview

The WP Virtual Assistant plugin for WordPress, versions up to and including 3.0, suffers from a missing authorization vulnerability. This flaw stems from incorrectly configured access control security levels, meaning the plugin fails to properly verify user permissions before allowing certain actions. As a result, the plugin is exposed to broken access control issues, which are a common class of vulnerabilities in WordPress plugins [1].

Exploitation

Exploitation of this vulnerability does not require authentication, as the missing authorization checks allow any unauthenticated visitor to trigger the vulnerable functions. Attackers can target thousands of websites running the affected plugin in mass-exploit campaigns, regardless of site size or popularity. The attack surface is broad because the plugin is widely used and the vulnerability is easily reachable over the network [1].

Impact

A successful exploit enables an attacker to perform actions that should be restricted to higher-privileged users, such as administrators. This could include modifying plugin settings, accessing sensitive data, or performing other unauthorized operations within the WordPress installation. The CVSS v3 base score of 5.3 (Medium) reflects the potential for significant impact, though the attack complexity is low and no user interaction is required [1].

Mitigation

The vendor has not released a patched version as of the publication date. The recommended immediate action is to update the plugin to a secure version if available. If no update exists, users should consider disabling the plugin or implementing a web application firewall (WAF) rule to block exploitation attempts. Hosting providers or web developers can assist with temporary workarounds [1].