CVE-2025-62092

Vulnerability

Overview

The Wiremo WooCommerce Reviews plugin (woo-reviews-by-wiremo) for WordPress versions from n/a through 1.4.99 suffers from a Missing Authorization vulnerability [1]. This broken access control flaw stems from incorrectly configured access control security levels, meaning the plugin fails to properly enforce capability checks or nonce tokens in certain functions [1].

Exploitation

An attacker can exploit this vulnerability without requiring authentication or higher privileges, as the missing authorization allows any unprivileged user to execute actions that should be restricted [1]. The attack surface is accessible via the web interface, and given the nature of WordPress plugins, it can be chained with other vulnerabilities in automated mass-exploit campaigns [1].

Impact

Successful exploitation grants an attacker the ability to perform unauthorized actions that could lead to data exposure, privilege escalation, or other malicious outcomes, depending on the affected functionality [1]. The vulnerability is rated as Medium severity with a CVSS v3 score of 5.3, and the official advisory notes that such flaws are commonly used in mass-exploit campaigns targeting thousands of websites [1].

Mitigation

Users are strongly advised to immediately update the Wiremo plugin to a version newer than 1.4.99, as the vendor has likely released a patched version [1]. For those unable to update, contacting the hosting provider or a web developer for assistance is recommended [1]. There is no mention of the plugin being end-of-life or listed in CISA's KEV catalog.