CVE-2025-62086

Vulnerability

Overview The Яндекс Доставка (Boxberry) plugin for WordPress, developed by akazanstev, contains a missing authorization vulnerability. This flaw affects all plugin versions up to and including 2.34. The issue arises from a broken access control mechanism, where the plugin fails to properly enforce authorization checks on certain functions or endpoints [1].

Exploitation

Details An unauthenticated or low-privileged attacker can exploit this missing authorization to access or execute actions that should require higher privileges. The vulnerability involves incorrectly configured access control security levels, potentially allowing an attacker to bypass intended restrictions [1]. The exact attack vector is not specified in the available references, but such flaws can often be triggered by sending specially crafted requests to the affected plugin's endpoints.

Impact

Assessment If successfully exploited, an attacker could gain unauthorized access to administrative functions or sensitive data within the WordPress installation. This could lead to privilege escalation, data leakage, or further compromise of the site. The vulnerability has a CVSS v3 score of 5.4 (Medium), indicating a moderate severity level [1].

Mitigation

Status As of the publication date (2025-12-09), the affected versions are n/a through 2.34. The reference advises updating the plugin to the latest patched version. If an immediate update is not possible, administrators are urged to contact their hosting provider or web developer for assistance [1].