CVE-2025-62138

The WP Advanced PDF plugin for WordPress versions <= 1.1.7 suffers from a missing authorization vulnerability. The plugin fails to properly enforce access control checks, allowing attackers to exploit incorrectly configured security levels. This flaw falls under the category of incorrectly configured access control security levels, as described in the vulnerability disclosure [1].

An attacker can exploit this vulnerability without needing direct authentication due to the missing authorization mechanism. The attack vector is through the plugin's functionality, which bypasses standard WordPress capability checks. Because it is a network-accessible vulnerability, any unauthenticated user who can trigger the relevant plugin functionality may be able to abuse it [1].

Successful exploitation could allow an attacker to access sensitive data or perform unauthorized actions through the plugin, potentially affecting the confidentiality and integrity of the WordPress site. The CVSS v3 score of 5.3 indicates a medium severity risk [1].

As of the publication date, no patch was available for the affected version. Users are advised to update the plugin immediately upon release of a fixed version. The vulnerability is listed in the Patchstack database, and similar flaws have been observed in mass-exploit campaigns, emphasizing the need for prompt mitigation [1].