CVE-2025-62147

Vulnerability

Overview CVE-2025-62147 is a missing authorization vulnerability in the Realbig (realbig-media) WordPress plugin, affecting versions from n/a through 1.1.3. The plugin fails to properly enforce access control checks, allowing unprivileged users to perform actions that require higher privileges. This is a classic broken access control issue, where the software does not verify that a user has the necessary permissions before executing a function [1].

Exploitation

An attacker can exploit this vulnerability without authentication, as the missing authorization check does not require a valid session or nonce. The attack vector is network-based, and no special privileges are needed. This makes it possible for unauthenticated remote attackers to potentially access or modify protected resources, such as plugin settings or data, that should be restricted to administrators [1].

Impact

Successful exploitation could allow an attacker to escalate privileges, access sensitive information, or perform unauthorized actions on the WordPress site. Given that this vulnerability is present in a plugin used for media management, it could lead to data exposure or site defacement. The CVSS score of 5.3 (Medium) reflects the moderate impact and low complexity of the attack.

Mitigation

The vendor has not released a patch at the time of publication, and the plugin may be abandoned. Users are advised to immediately update the plugin if a patched version becomes available, or consider removing it and finding an alternative. Since this vulnerability may be used in mass-exploit campaigns (common with broken access control issues in WordPress plugins), taking action promptly is crucial to prevent site compromise [1].