CVE-2025-62144

Vulnerability

Overview

The Core Web Vitals & PageSpeed Booster WordPress plugin, versions up to and including 1.0.28, contains a missing authorization vulnerability. This flaw stems from incorrectly configured access control security levels, allowing exploitation of broken access control mechanisms [1]. The vulnerability is classified as a broken access control, meaning a function lacks proper authorization or nonce checks, enabling unprivileged users to execute higher-privileged actions [1].

Exploitation

Attackers can exploit this vulnerability without authentication, targeting thousands of websites in mass-exploit campaigns [1]. The attack surface is broad because the plugin is widely used for performance optimization. No special network position or user interaction is required beyond sending crafted requests to the vulnerable endpoint.

Impact

Successful exploitation allows an attacker to perform actions normally restricted to higher-privileged users, such as modifying plugin settings or accessing sensitive configuration data. This can lead to website defacement, data exposure, or further compromise of the WordPress installation.

Mitigation

The vendor has not released a patched version as of the publication date. Users are advised to update the plugin immediately if a fix becomes available, or contact their hosting provider for assistance [1]. The vulnerability is listed as medium severity (CVSS 5.4) and is actively used in mass-exploit campaigns, making prompt action critical.